[ISN] Sprint to construct private Internet for gov't agencies
http://www.nwfusion.com/news/2003/0401sprintoco.html By Grant Gross IDG News Service 04/01/03 WASHINGTON - Telecommunications giant Sprint announced plans Tuesday to launch a private IP network aimed at security-conscious U.S. government agencies by late June. The new network, which doesn't yet have a name, will mimic Sprint's SprintLink enterprise-class, IP backbone network and offer most of the same features, except that it won't be connected to the public Internet. Sprint expects government agencies that want to be especially protective of data to be the first customers, said Steve Lunceford, a Sprint spokesman. The "government-grade" private Internet should have one or two government agencies as its customers by its launch in late June, he added. The Sprint service is designed to ease customer worries that "someone in an Internet cafe in Beijing could get into the network," Lunceford said. Customers using the private network would have to use SprintLink or another public backbone for outside e-mail or Web surfing, but individual users won't be able to tell when they're switching back and forth, he added. Berge Ayvazian, senior research fellow with the Yankee Group, said Sprint's timing is good, given that U.S. government agencies are becoming increasingly aware of security issues. The Sprint project is the first such private IP network aimed at government users, Ayvazian believes, and he sees customers converting from other private network services that don't use IP, such as frame-relay networks. Lunceford talked up the efficiency and ease of use for IP-based networks as opposed to frame-relay networks or ATM networks. "The beauty is (IP) communicates with everything," Lunceford said. "A concern with going to an IP network is the connection to a public IP network. This is the best of both worlds." Ayvazian isn't sure how big the market will be for such services, but he noted that the cost to Sprint was minimal because the company is using Cisco gear recycled from its ION (Integrated On-Demand Network) broadband service, aborted in late 2002. Sprint did not disclose the cost of constructing the new network. "We already have the expertise to put the network in place and keep it maintained," Luceford said. "We were able to do this relatively inexpensively." Sprint announced the new network at the GSA/FTS Network Services Conference in Orlando, Fla., Tuesday. "We think there's going to be a lot of interest," Lunceford said. "In the future, it could go beyond the government sector and into some big enterprises." The private network will offer most services available on SprintLink, such as virtual LAN, virtual private networks, and voice over IP, except outside e-mail and Internet access, Lunceford said, and the company expects customers to embrace those features over the private network competition. Sprint will charge a 10% to 15% premium over the cost of SprintLink. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] InfoSec News Book Giveaway - Honeypots: Tracking Hackers
As I try to ramp up the new web version of InfoSec News, I thought I would start offering book giveaways early... The first giveaway is Lance Spitzner's Honeypots: Tracking Hackers http://www.amazon.com/exec/obidos/ASIN/0321108957/c4iorg With a novel twist for information security books, we're giving away five signed copies of Lance's book! As a subscriber of InfoSec News, you're already entered into this contest. Sometime this week in the company of an attorney, and over a couple bottles of Hacker-Schorr beer, we'll randomly pick five subscribers and notify the winners via e-mail. Honeypots: Tracking Hackers http://www.tracking-hackers.com/book/ The is the ultimate guide to this rapidly growing, cutting-edge technology. Starting with a basic examination of honeypots and the different roles they can play, the book moves on to in-depth explorations of six specific kinds of real-world honeypots: * BackOfficer Friendly * Specter * Honeyd * Homemade honeypots * ManTrap * Honeynets Detailed discussion of each honeypot shows their unique advantages and tradeoffs, the way a real attack will look to each honeypot, plus a variety of deployment and maintenance issues. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Network Associates to buy IntruVert for $100 million
http://www.nwfusion.com/news/2003/0402intru.html By Ellen Messmer Network World Fusion 04/02/03 Network Associates said it has entered into an agreement to purchase IntruVert Networks for $100 million in cash, an acquisition that will give NAI a line of products as well as underlying technology for intrusion prevention. The deal, expected to be approved by regulatory authorities in about 45 days, will bring privately held IntruVert, which makes the IntruShield 4000 and IntruShield 2600 appliances, into the NAI fold. It also puts a nail in the coffin of the strategic technology relationship that began last May between NAI and Internet Security Systems. At that time, NAI executives said the company intended to add ISS intrusion-detection technology to NAI's high-speed Sniffer traffic-analysis product by mid-year. But slow progress raised doubts about the effort, and NAI executives a month ago acknowledged they were looking at alternatives. This week, it's IntruVert in and ISS out. "We will not move forward with ISS in Sniffer," said Sandra England, NAI executive vice president of corporate development and strategic research. She added that she sees "no real application for [the ISS] technology in our portfolio going forward." IntruVert's technology focus is on intrusion-prevention, which entails not just detecting attacks, but blocking them. The IntruVert product line can be used as a passive intrusion-detection system, just watching and reporting, or it can be used in the intrusion-prevention mode of blocking a perceived attack. IntruVert competes against products from Enterasys Networks, ISS, Intrusion Inc., TippingPoint, and Recourse Technologies, which was just bought by NAI archrival Symantec. Corporate interest in using intrusion-prevention systems (IPS) is growing as these in-line products improve their speed, accuracy and fail-over capabilities, but many network managers are still reluctant to actively block traffic, concerned that legitimate traffic may be blocked by mistake. While NAI is not going forward with the plans to add ISS intrusion detection to Sniffer, it may look at adding IntruVert's intrusion-prevention capabilities to Sniffer, though not by mid-year. "We felt that in order to fulfill our vision to our customers, we need to own the technology," says England. "And we feel the market is moving from intrusion detection to prevention." The $100 million deal with IntruVert may not be the last acquisition NAI will make to buy its way into some cutting-edge technologies it decided it won't develop in-house; NAI is still shopping around for host-based intrusion-prevention, which blocks attacks on servers or desktops. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Homeland Security Department tackles enterprise architecture
http://www.computerworld.com/securitytopics/security/story/0,10801,79963,00.html By DAN VERTON APRIL 02, 2003 Computerworld WASHINGTON -- The U.S. Department of Homeland Security (DHS) plans to complete an initial inventory of its entire IT infrastructure by June -- a critical step toward the ultimate creation of a nationwide architecture for homeland security, said Steve Cooper, the department's CIO. The new department has already identified more than 2,500 "mission-critical applications or automated solution sets" and more than 50,000 "items" that make up its IT infrastructure, said Cooper, speaking yesterday at the Secure E-Business Executive Summit in Arlington, Va. However, the process of taking an initial inventory is only 40% to 50% complete, he said. The DHS includes 22 formerly independent federal agencies, and the Office of Management and Budget began working on the Federal Enterprise Architecture Framework in February 2002. The goal is to leverage IT to simplify processes and unify work across agencies and throughout federal business processes. The challenge for homeland security, however, is to devise an architecture that is secure and aids rapid information-sharing and collaboration at all levels of government and the private sector. "The national enterprise architecture is not just federal," said Cooper. "We've reached out to state and local environments, and we are reaching out [to the private sector]. But we haven't figured out the optimal way to reach out to the private sector." The department has started an aggressive outreach effort that's being led by a series of independent task forces hoping to identify business processes common to the department's five directorates. Meanwhile, two separate task forces have been studying infrastructure and application security. And a third task force is studying security from a physical and business-process standpoint, he said. The challenge of creating a robust enterprise architecture that is both open and secure has been one of the key topics during the many town hall meetings held during the past year by the President's Critical Infrastructure Protection Board. The two goals "seem to be in conflict with each other, but I would submit that they are not," said Howard Schmidt, chairman-elect of the board. "We have to rethink the way we [create architectures]," said Schmidt. "We used to look at what we can do with it, as opposed to what [an adversary] can do against it." In addition, he said, the introduction of new technologies is forcing officials to "redefine what it means to have a secure architecture. "Now, the end point, the handheld, the wireless phone are part of your architecture," said Schmidt. "And that architecture and the thought process has to change. When we start adopting IPv6 [Internet Protocol Version 6], and everything is connected and everything has an IP address, that's going to be a different architecture." "We'll never get away from needing multiple layers of defense," said Dan Mehan, CIO at the Federal Aviation Administration. The FAA has taken a first step toward making security a core component of its enterprise architecture by integrating its information systems security with the overall National Airspace System (NAS) architecture, said Mehan. "We're now looking at the administrative and mission-support areas and harmonizing those," said Mehan. The FAA has discovered, somewhat to its surprise, that by putting its IS security architecture on top of the NAS architecture -- and integrating the two -- it added constraints on the IS security architecture that would not have been there if the IS security architecture had been developed separately. "We're using the enterprise architecture work we're doing now to step back a little bit and see if perhaps we constrained the information systems security architecture inadvertently," he said. Van Hitch, CIO at the U.S. Department of Justice, questioned the appropriateness of "lumping" all business processes under one enterprise architecture umbrella. "What we're really dealing with is a whole classified element of critical infrastructure that has one set of risks" and various other open and public processes, he said. For now, however, the challenge for the DHS is to set up something that can help officials make critical decisions at a time of war, said Cooper. As a result, people should be prepared for the architecture to change over time. "At the same time that we have true operational capability that we have to sustain, we have to make sure that it works right now," he said. "We're fighting a war in Iraq and a war on terrorism, and there are absolutely real things that we have to do right now that we honestly don't have the luxury of fully architecting before we put solutions in place. We fully recognize that some of that will have to be reshaped or replaced somewhat down the road. We accept that." Cooper warned that the department wouldn't get it perfect the first
[ISN] Thwarting the Zombies
http://www.eweek.com/article2/0,3959,985389,00.asp By Dennis Fisher March 31, 2003 Eighteen thousand computers tied together in less than 24 hours; a virtual army of machines, standing ready to do the will of their new master. Think of the possibilities that kind of processing power holds: cracking immense encryption keys or helping to sequence the human genome or even aiding the search for transmissions from extraterrestrials. But the controller of these zombie machines has a different purpose in mind: a massive, DDoS (distributed-denial-of-service) attack or perhaps several smaller attacks launched against key peering points or backbone routers on the Internet. Downstream ISPs and their end users will be suddenly shut off as technicians and engineers struggle to filter the tidal wave of traffic choking the target machines. Traffic in several segments of the global network will slow to a crawl as the malicious packets keep on coming. It will be several hours before normal service is restored and experts can go about the business of assessing the damage and trying to find out what happened. What sounds like a doomsday scenario concocted by a marketing executive desperate for sales, is, unfortunately, real life. And the harsh reality, experts say, is that it could be far worse than the situation described above. Vendors are trying to do their part. Security companies such as Arbor Networks Inc. are rolling out applications with sophisticated defensive features designed to detect and throttle DDoS attacks at the service provider so that downstream networks and users never feel the attack's effects. But even with these new defenses, some experts say it will take a sea change in the way end users and administrators think about security to truly solve the DDoS problem. "There needs to be a fundamental change in the way we educate users on security and the way they use a PC," said George Bakos, a senior security expert at the Institute for Security Technology Studies at Dartmouth College, in Hanover, N.H. "We're going to get spanked over and over again with this. Hopefully, it won't take too many more lessons, but I fear it will." For several weeks now, experts at government agencies, private security companies and universities have been monitoring several very large networks of machines that have been compromised and loaded with "bots," which are tiny applications that allow remote attackers to control the machines via Internet Relay Chat. Hundreds or thousands of these machines can then be used in concert to launch DDoS attacks. Bill McCarty, an associate professor of Web and information technology at Azusa Pacific University, in Azusa, Calif., said a Windows 2000 "honey pot" machine that he runs has been added to several bot networks, or botnets, in recent weeks. (A honey pot is a machine connected to the Internet and left defenseless so that security experts can observe hackers' activities or methods.) One of these networks amassed more than 18,000 PCs in about 24 hours. Meanwhile, officials at the CERT Coordination Center, in Pittsburgh, said they are aware of several large botnets, one of which stood at more than 140,000 machines earlier this month. Unleashing an attack on a single targetespecially one such as a small government agency or enterprisefrom a network of that size would be devastating. Even the most well-prepared and vigilant security staff would be overwhelmed by that level of malicious traffic. To help ISPs and telephone companies defend against these attacks, Arbor Networks last week introduced a new version of its Peakflow anti-DDoS software. Peakflow SP integrates many of the techniques that security staffs have developed over the years in fighting DDoS attacks. Among the new features is support for both black-hole routing and sinkhole routing, two common defensive techniques. Black-hole routing allows the administrator to take all malicious traffic and route it to a null IP address or drop it. Sinkhole routing is similar, except that the traffic is sent to an IP address where it can be examined. Both techniques are often used by administrators at the enterprise level. But they're far more effective when the ISPs employ them, as this prevents the malicious traffic from reaching the customer's network. Most, if not all, ISPs have some level of DDoS traffic crossing their networks virtually all the time. And while this costs them money in terms of bandwidth and annoys customers, many filtering and routing defenses catch legitimate traffic as well. This puts the service providers in a tight spot. "It's not that the service providers are a bunch of idiots. It's that they're saddled with this network and a bunch of issues that are directly in conflict with their customers' interests," said Ted Julian, chief strategist at Arbor Networks, based in Waltham, Mass. But in the end, curtailing or halting DDoS attacks will take a coordinated effort from end users up through the servi
[ISN] Security UPDATE, April 2, 2003
Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows Server 2003, Windows 2000, and Windows NT systems. http://www.secadministrator.com THIS ISSUE SPONSORED BY FREE Security Compliance Audit for Windows http://list.winnetmag.com/cgi-bin3/flo/y/eQJt0CJgSH0CBw076f0AK Windows & .NET Magazine Connections http://list.winnetmag.com/cgi-bin3/flo/y/eQJt0CJgSH0CBw0KXQ0Ar (below IN FOCUS) SPONSOR: FREE SECURITY COMPLIANCE AUDIT FOR WINDOWS Are your critical Windows machines protected from the next Nimbda, Code Red or SQL Slammer attacks? Why not find out? Take advantage of our FREE Security Compliance Audit available through our 15-day product evaluation for your 5 most critical Windows machines. In just minutes PatchWorks will analyze your systems and generate a policy conformance report! Click here to eliminate vulnerabilities today: http://list.winnetmag.com/cgi-bin3/flo/y/eQJt0CJgSH0CBw076f0AK April 2, 2003--In this issue: 1. IN FOCUS - Jumping the Gun on Vulnerability Disclosure 2. SECURITY RISKS - DoS in Microsoft RPC Endpoint Mapper - DoS in Check Point VPN-1/FireWall-1 Client Component 3. ANNOUNCEMENT - Sample Our Security Administrator Newsletter! 4. SECURITY ROUNDUP - News: RPC Vulnerability Threatens Windows with DoS Attacks - News: Code Execution Vulnerability in Windows Script Engine - News: Secunia Launches New Security Advisories Service 5. INSTANT POLL - Results of Previous Poll: WebDAV and IIS - New Instant Poll: WEP and WPA 6. SECURITY TOOLKIT - Virus Center - FAQ: Why Am I Receiving Event ID Errors 5737 and 7023 on My Windows 2000 Server Service Pack 2 (SP2) System? 7. NEW AND IMPROVED - Event Management in an Appliance - Spam Filtering as a Service - Submit Top Product Ideas 8. HOT THREAD - Windows & .NET Magazine Online Forums - Featured Thread: How Do You Print the GPO? 9. CONTACT US See this section for a list of ways to contact us. 1. IN FOCUS (contributed by Mark Joseph Edwards, News Editor, [EMAIL PROTECTED]) * JUMPING THE GUN ON VULNERABILITY DISCLOSURE Last week, in my Security UPDATE commentary "Security Research: A Double-Edged Sword," I discussed how researchers discover security problems and work with vendors to coordinate information and patch release--to minimize networks' exposure to a given discovery. A recent case in point illustrates how jumping the gun on information disclosure can occur when well-intentioned researchers become impatient. http://www.secadministrator.com/articles/index.cfm?articleid=38448 This past Saturday, while most working people on the planet were enjoying their weekends, a researcher posted a message to the BugTraq mailing list about a vulnerability in Sendmail. As you know, Sendmail is one of the most widely used SMTP mail systems, and although Sendmail was written to run primarily on UNIX systems, various vendors port the code to Windows platforms. The researcher had discovered a problem in Sendmail stemming from insufficient bounds checking during character-to-integer conversions that might lead to a buffer overflow and subsequent compromise of a given Sendmail system. The researcher had contacted Sendmail.org on March 18 about his discovery, and the group replied the following day acknowledging the problem and stating that it would release an updated version of the product. However, if I understand the situation correctly, the updated release was not posted immediately for reasons internal to Sendmail.org, which I assume involve coordinating efforts with third-party vendors and Sendmail software users. When after 11 days (March 29) the new version wasn't posted, the researcher decided to post a notice about the problem to BugTraq, basically stating that he was "forced" to release details of the problem. Again, I assume the researcher's intent was to put pressure on the Sendmail vendor. With the bug now exposed to the public, Sendmail immediately--on March 29--released its updated product version (8.12.9) and posted a brief comment: "We apologize for releasing this information today (2003-03-29) but we were forced to do so by an e-mail on a public mailing list which contains information about the security flaw." Sendmail wasn't entirely ready to release its updated version, but apparently Sendmail had corrected the problem in the code and had a new version it could release. I don't know the exact reasons for the 11-day delay, but again, I suspect Sendmail needed the time for testing and coordination--because Sendmail is bundled with various OSs. http://www.sendmail.org/8.12.9.html Jumping the gun in this way is unfortunate. This instance seems to have been the resu
[ISN] NIST security division expands role
http://www.fcw.com/fcw/articles/2003/0331/web-schmidt-04-02-03.asp By Diane Frank April 2, 2003 The National Institute of Standards and Technology's (NIST) Computer Security Division will be playing a significant role in the Bush administration's cybersecurity strategy, according to Howard Schmidt, acting chairman of the President's Cybersecurity Board. The NIST division did not move to the new Information Analysis and Infrastructure Protection (IAIP) Directorate at the Homeland Security Department (DHS), as originally set out in the White House's plan. Discussions are under way to determine how the organization can and will contribute to the implementation of the National Strategy to Secure Cyberspace, Schmidt said. "Their role will be bigger now than it ever has been in the past," he said. Schmidt also is working with the recently appointed IAIP directorate leaders to make sure that all of the work being done by the President's Critical Infrastructure Protection Board -- dissolved in a February executive order -- is carried over into DHS. DHS Secretary Tom Ridge has met with the group several times to ensure that none of work is lost in the transition, Schmidt said. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Former hacker testifies to Congress about computer security
http://www.nandotimes.com/technology/story/839724p-5904624c.html By DAVID HO, Associated Press WASHINGTON (April 3, 2003 7:11 p.m. EST) - A convicted computer hacker told lawmakers Thursday that many attacks on companies that hold consumer financial information go undetected because of poor security. Kevin Mitnick, whose federal probation on hacking charges ended in January, said businesses need to better protect their computers from newly discovered security flaws and train employees to spot the tricks of identity thieves. "The bad guys are going to look for the weakest link in the security chain," said Mitnick, who served five years in federal prison for stealing software and altering data at Motorola, Novell, Nokia, Sun Microsystems and the University of Southern California. He now runs a business to help companies guard against computer attacks. Prompted by three recent cases of information theft involving the accounts of millions of people, two subcommittees of the House Financial Services Committee heard from law enforcement and corporate officials on the growing vulnerability of consumers' most sensitive financial information. "Consumers will quickly lose confidence in our nationwide credit system if we don't do everything practical to improve security and protect sensitive data," said Rep. Michael Oxley, R-Ohio, chairman of the full committee. He said computer information thefts cost U.S. businesses $400 million each year The weak links were different in the three recent incidents. Authorities say an identity theft scheme involving Teledata Communications in New York came from the inside when an employee sold passwords for downloading consumer credit reports. Prosecutors said in November that more than 30,000 people were victimized with losses of more than $2.7 million. In December, thieves physically broke into an office of TriWest Healthcare Alliance in Phoenix and stole computer hard drives containing Social Security numbers and addresses of about 562,000 military personnel and their families. The company, which posted a $100,000 reward for information, said no identity thefts have been reported. Last month, a hacker broke into the computers of Data Processors International, a company based in Omaha, Neb. that handles transactions for catalog companies and other direct marketers. The Secret Service said the hacker accessed more than 10 million credit card numbers. "The cyber threat is rapidly expanding," said James Farnan, deputy assistant director of the FBI's cyber division. "Using a simple Internet search, a 12-year-old could locate a variety of hacker tools, then download and implement them." Farnan said the FBI has devoted more resources and training to counter the growing problem of cyber crime, which includes information theft and terrorist threats against sensitive computer networks. "Many intrusions are never reported because companies fear a loss of business from reduced consumer confidence in their security measures or from fear of lawsuits," Farnan said. Beginning next month, the Federal Trade Commission will require many financial institutions to better protect consumer information. Companies must have written security plans and train employees to protect sensitive data. The FTC will watch companies to make sure they follow the rules, said Howard Beales, chief of the agency's consumer protection bureau. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Fed Agencies Asleep at the Wheel
http://www.wired.com/news/politics/0,1283,58327,00.html By Noah Shachtman April 03, 2003 This is how ill-prepared the federal government is to protect itself against terrorist attacks: Many of its agencies don't even know which buildings and computer networks to defend. In 1998, the Clinton administration ordered the Departments of Energy, Commerce, and Health and Human Services, as well as the Environmental Protection Agency, to each come up with a list of crucial equipment, buildings and information technology that must be protected under any circumstance. But nearly five years later -- and more than 18 months after Sept. 11 -- none of these agencies has completed its list, according to a report released Wednesday by the Government Accounting Office, Congress' investigative arm. And none of the agencies has comprehensive plans for keeping these assets safe. "For most of us, this would seem to be a matter of common sense," said Ken Johnson, a spokesman for the House Energy Committee. "But these agencies still aren't taking the threat of terrorism seriously enough. In our own homes, we know the things that are most valuable to us. It's not unreasonable to ask these departments to do the same." How would the Energy Department keep tabs on the country's stockpile of nuclear weapons if a truck bomb rammed into its headquarters? What labs would need to be secured if a nuclear "dirty bomb" went off near the Centers for Disease Control and Prevention in Atlanta? What financial databases would have to be maintained if hackers broke into the Commerce Department's computers? These are the sorts of questions the agencies are supposed to be asking themselves. "In military terms, these would be the 'command and control' structures -- the things needed to maintain continuity of operations if their headquarters were gone or inaccessible," said Phil Anderson, a senior fellow at the Center for Strategic and International Studies. The idea behind the Clinton directive was that the departments clearly can't protect all their assets equally. So they should concentrate their resources on the areas that matter most -- the "assets, nodes and networks that, if incapacitated or destroyed, would jeopardize the nation's survival" or "have a serious, deleterious effect on the nation at large," according to the GAO report. But the agencies haven't complied with the executive branch directive. Instead, the GAO report alleges, they're relying on years-old defense plans "focused on protecting hundreds of assets considered essential to the agencies' missions, rather than focusing on those assets that are critical to the nation." The departments seem to be in no hurry to settle on which areas are the most essential. "It could take years for these agencies to complete their analyses for all critical assets at their current pace," the report (PDF) said. In written comments submitted to the GAO, the Department of Health and Human Services vigorously disagreed with this assessment. The agency said it identified its assets "more than two years ago," and is currently reviewing them again. Representatives from the other agencies investigated either refused to comment or did not return calls. The Center for Strategic and International Studies' Anderson isn't surprised the agencies haven't finished their assessments. Large federal bureaucracies take time to build up speed on an issue, he said. And before Sept. 11, reasons for these agencies to hustle on security matters were not pressing. "How much motivation can there be when you don't believe you're at risk?" he said. Equally slow to develop are the ties between these federal agencies and the private sector. Commercial interests are responsible for more than 80 percent of the country's so-called critical infrastructure -- power plants, dams and the like. So it's vital that business and government exchange information about possible weaknesses and possible threats. Right now, however, this information is brokered through a dozen different Information Sharing and Analysis Centers, known as ISACs, each representing a different industry. But these groups aren't living up to their names, because they're not actually sharing what they know with the government, according to the GAO report. If they do, the ISACs reason, then the information can be released to the public under the Freedom of Information Act, which gives journalists and private citizens access to federal material that's not classified. And that could be dangerous, industry leaders said. "If we do a vulnerability assessment at one of our facilities, we'll share it with the other (industry) players, but not with the Energy Department," said Bobby Gillham, global security manager for ConocoPhillips and chairman of the Energy ISAC. "We don't want it to get on some website and be a roadmap for some terrorist." - ISN is currently hosted by Attrit
[ISN] Worms boost cyberattack stats for 2003
http://news.com.com/2100-1009-995380.html By Robert Lemos Staff Writer, CNET News.com April 3, 2003 The number of security events detected by companies in the first quarter of 2003 jumped nearly 84 percent over the preceding three months, according to a report that network-protection firm Internet Security Systems plans to release Monday. The increase in events, which can include minor probes for holes in network security as well as major attacks, stems mainly from an increase in worms and automated attack software, the company said in a summary of the report, which was seen by CNET News.com. "The large increase in mass mailing, highly persistent worms and (in) security events indicates that this year will be challenging for security officers and administrators around the world," Chris Rouland, director of ISS's research and development team, said in the summary. The study tallies the network events detected by ISS sensors deployed by some 400 clients around the world and outlines potential malicious online activity from Jan. 1 to March 31. That period includes the attack of what many consider to be the first flash worm, an automated attack program that spreads so quickly that the responders can't react fast enough. The worm, SQL Slammer, infected 200,000 computers running Microsoft's SQL Server software that hadn't had a 6-month-old patch applied. The worm is thought to have spread to 90 percent of all vulnerable servers in the first 10 minutes after it had been released on the Internet. The report found that weekends accounted for only 26 percent of all events and that Friday was the most active day, with some 2.3 million events, on average, categorized as "anomalous activity." Such events are not attacks, but mainly--in nearly three-quarters of the cases--suspicious activity. An additional 11 percent were classified by ISS as unauthorized access attempts. Slammer started spreading late on a Friday night PST. ISS also found that online vandals are putting more effort into exploiting existing flaws than finding new ones. According to ISS data, 606 vulnerabilities were made public in the first three months of the year, while 752 new threats were identified. The company considers threats to be programs or code that make exploiting vulnerable systems easier. Hackers are also using unknown flaws to attack systems. In March, the military detected that a previously unknown vulnerability in Microsoft's Windows 2000 operating system was being exploited by online intruders. Microsoft released a patch for the security hole five days later, but the incident acted as a reminder that there are a whole host of security flaws of which companies are not aware. The report is scheduled to be available from ISS' Web site on Monday. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Latest Apache release fixes DOS vulnerability
http://www.nwfusion.com/news/2003/0403newapach.html By Paul Roberts IDG News Service 04/03/03 The latest release of Apache 2.0 fixes a number of security vulnerabilities including an as-yet-undisclosed flaw that could be used to launch a denial of service attack against machines running the popular Web server, according to information released by the Apache Software Foundation (ASF). The new release, version 2.0.45, is intended "principally as a security and bug fix release," according to the ASF. First and foremost on the list of fixed vulnerabilities was a security hole discovered by David Endler, director of Technical Intelligence at security intelligence firm iDefense. Details on the vulnerability discovered by Endler were not disclosed, but Apache 2.0 users were encouraged to upgrade. Endler will publish a report on the vulnerability on April 7, according to the ASF. Other, lower priority security leaks and bug fixes were also included in the 2.0.45 release. However, a known DOS vulnerability that affects those systems running Apache on the OS/2 platform remains open. The latest Apache version was "too important" to delay release until the OS/2 fix could be included, the ASF said. OS/2 users will have to wait for the release of 2.0.46 to get a fix for that problem, the ASF said. The decision by the ASF and iDefense to withhold information on a major vulnerability for a week following the release of a patch stands in contrast to prior revelations about security holes in the Apache software. In August, security company PivX Solutions released information on a major vulnerability shortly after the ASF published a software patch to fix the problem. Users of all prior versions of Apache were encouraged to update to the latest release. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] County security chief under fire
Forwarded from: William Knowles <[EMAIL PROTECTED]> http://www.siliconvalley.com/mld/siliconvalley/5547846.htm By Karen de Sá Mercury News April 03, 2003 Peter Ekanem, Santa Clara County's top information security officer, is facing possible criminal charges for unauthorized use of his office computer and cell phone, actions that amount to security breaches. Ekanem, who is under investigation by the district attorney's office, was placed on paid administrative leave Feb. 3, leaving the county without its top expert on protecting computer systems from intruders while the nation is on heightened alert against terrorism. Among other actions that violate some of the very policies he wrote, a search warrant says Ekanem e-mailed internal documents to a former county employee in Africa. Assistant District Attorney Karyn Sinunu said a decision about whether to file charges will be made ``shortly.'' A separate administrative review also is concluding, which may result in Ekanem's termination, county officials said. Ekanem's absence has set back the rollout of the security policy he developed, said Chief Information Officer Satish Ajmani. But Ajmani added that the ``guiding principles'' he wrote have not changed, and an outside contractor is now implementing the plan. Ekanem said he could not discuss his situation. His co-workers in the information services department first raised the alarm in an internal review that ``uncovered evidence of a potential compromise of county information security,'' the affidavit states. Ekanem has reportedly engaged in long personal calls during work hours and pursued a master's degree on county time without employer authorization. Ekanem -- one of only two people in the county to possess a written report of every weakness and vulnerability within county computer networks -- listed his county cell phone number as his contact for a property he rents in Richmond, a fact an Internet search quickly revealed. In his own security policy, Ekanem wrote that employees should expect their e-mail to be monitored and that the county specifically forbids use of the network ``for personal profit or running a business.'' Ekanem, who is 44 and earns $106,000, also is charged with sending internal county documents by e-mail to a former colleague in Ghana, who picked them up at an Internet cafe. The documents he released by e-mail are not believed to have jeopardized the county's security, but the fact that they were sent out of the county, by the official in charge of information security, prompted the inquiry. In his 18-month tenure, Ekanem wrote the county's information technology security policy, which set up a security system to protect the confidentiality of personal information about taxpayers, such as Social Security numbers, medical records, birth and death certificates. The 245-member department he works for supports all the county's computer networks, including data kept by the hospital, law enforcement and social services. Where trouble began Problems first arose early this year, when Ekanem's co-workers alerted administrators in the information services department that he appeared to be spending an excessive amount of time on personal calls. That led to a review of Ekanem's cell phone bill and his e-mail correspondence, which raised more alarms. County officials remain tight-lipped about the case, citing employee confidentiality. But they did release a copy of one document Ekanem is said to have e-mailed to a former information services department employee, Kwaku Nsiah, while Nsiah was in Ghana earlier this year. The two men are believed to have exchanged a series of e-mails, including discussions about the county's disaster preparedness and recovery plan. Nsiah, a former senior information technology project manager, was fired for incompetence in May during his probationary period. One of the documents Ekanem later sent him was a highly technical report from KPMG Consulting, laying out how it would structure the county's e-government service, if awarded a contract. One expert's view It is rare to have a security officer lose his post for a violation of information system rules, said Kevin Dickey, chief information security officer for Contra Costa County, and an adviser to the state on security issues. Dickey, whose last job was to secure the state lottery, said he has ``no knowledge of a security person in my line of work that was suspect.'' ``Simply put, the guy should have known better,'' he said. ``Security is accountability, integrity and confidentiality, so if your job is to secure those things for your organization and you compromise it -- well shame on you.'' Dean Hipwell, an information security consultant and professor of computer science at National University, said he found Ekanem's case ``surprising.'' ``There are a couple of cases where a network administrator was fired by their organization a
[ISN] Wireless Security Steps Up at West Point, Home
http://eprairie.com/news/viewnews.asp?newsletterID=4540 Spiro Papadopoulos ePrairie.com 4/3/2003 CHICAGO - In last week's column, I blithely mentioned that military use of 802.11 isn't ready for prime time due to security gaps in current technology. While I maintain that a rush to deploy Wi-Fi on highly data-sensitive networks in both the private and government sector is still a ways away, there is no denying that most organizations that have installed or are planning to deploy wireless networks are in desperate need (whether they are aware of it or not) of adequately securing their networks. Maybe we should look to the government for some help. The U.S. Military Academy at West Point has recently rolled out a secure 802.11a wireless network in its classrooms that is allegedly producing a much richer classroom experience for a thousand or so cadets. I suspect the gravitational pull toward Web surfing during a Monday morning physics lecture is quite strong. So how did West Point address security? It chose a wireless product from Cranite Systems. The product, called the "Wireless Wall Software Suite," actually consists of three components: 1. A policy server that works with an existing directory and supports the characteristics of each wireless connection on the network. 2. An access controller that encrypts and decrypts authorized traffic and allows users to roam across subnets in the network. 3. Client software that ensures a secure tunnel to the access controller. Marc Sokol, a partner at Chicago-based venture capital firm JK&B Capital, says he is impressed with the technology so much so that his firm participated in Cranite's most recent third round of funding. He says Wireless Wall is unique because "it's a layer 2 software solution that enables users to roam between access points seamlessly. A solution must be layer 2 [for it to be secure]." He's not the only one who thinks highly of the product. Last week, Cranite was granted Federal Information Processing Standard (FIPS) certification by the U.S. government. The certification is a notable milestone because the government mandates this seal of approval for its own cryptography-related purchases. The approval now opens a big door to government coffers. In fact, Cranite is partnering with HP to sell the solution to government agencies and is working with other value-added resellers (VARs) and system integrators to sell the solution to enterprise businesses. While that's great news for those who can afford the protection, what about security on home wireless networks? For the most part, users still don't have many options beyond traditional wired equivalent privacy (WEP) and virtual private networks (VPNs). I'm bringing this up as a reminder that WEP is still a good option for warding off the casual intruder and should be enabled at your home or office in the absence of a more robust security system. Think of it like having The Club on your network. Just keep in mind that a determined thief will find a way around almost any security measure. Speaking of home networks, I'd be remiss if I didn't comment on Cisco's recent acquisition of Linksys. In the short term, it's a solid and easy deal. With its strong presence in the home and small office networking market, Linksys will complement Cisco's dominance at the high end of the market. Seems simple enough. For now, Cisco has no plans on rebranding Linksys products under the Cisco name. Linksys will currently operate as an independent entity within Cisco. But for how long? Looking out two years from now, the picture of the networked home becomes muddled. A Cisco executive has recently said that the home networking market is at an inflection point in terms of mass appeal. He is correct. My question is whether Cisco is the right company to take advantage of the latest must-have home item. In one respect, the answer is yes. Since Cisco already sells high-end gear to cable companies, it's in a good position to start striking deals with the likes of Comcast and begin bundling equipment into people's homes. Another part of me says this won't be so easy. Have you ever taken a hard look at the industrial design of a Linksys access point? Though Louis Sullivan might nod in approval, Steve Jobs must go into convulsions when he sees one. My point is that up until now, wireless local-area networks (LANs) have been the domain of geeks. It has only been a recent phenomena for non-techie people to venture out to Best Buy on their own to purchase and install wireless LANs. That will change, though, as the systems become easier to install. So here we are on the cusp of mass appeal for wireless home networks. At this point, I refuse to believe that Cisco will be best positioned to serve those consumers in the long term. If I had to predict a long-term winner in the home networking market in five years, I would pick Son
[ISN] Spammers attack wireless networks
http://www.vnunet.com/News/1139931 By Emma Nash 03-04-2003 Nearly three-quarters of malicious connections to wireless networks are used for sending spam, according to new research. Security consultant Z/Yen set up two wireless local area networks (Lans) on behalf of RSA Security to monitor unauthorised connections - a so-called 'honeypot' trap. The survey found that almost a quarter of unauthorised connections to the wireless Lans were intentional, and 71 per cent of those were used to send emails. "The biggest problem for someone wanting to deliver spam is having anonymity," said Z/Yen consultant Phil Cracknell. "If there's an opportunity to deliver email through someone else's network, and there's no log of it, then this is a perfect opportunity for spammers." Last week, the government published proposals to crack down on spam, which is estimated to account for up to 40 per cent of global email. If the proposals come into force, senders of unsolicited email will require prior consent from recipients, and web users will have to be told if cookies are being used, with the option to reject them. Individuals will also be given more power to decide if they want to be listed in subscriber directories. E-commerce minister Stephen Timms warned that the spread of unsolicited email could damage the development of online business. "Spam has become the curse of the internet," he said. "It's a source of major frustration as it clogs up inboxes the world over. Spam is in danger of becoming a real deterrent to online communication." John Mawhood, head of the commercial and technology department at law firm Tarlo Lyons, said the legal issues surrounding unsolicited use of wireless Lans are cloudy, but sending unauthorised email could create problems for internet service providers (ISPs). "If it is discovered that someone is engaging in denial-of-service attacks, for example, you could end up with the provider of the network being accused of collaborating," he said. "A person who manages a wireless Lan, in the sense of owning and running it, will be responsible for the traffic on their network. The ISP will want to make sure spam is not originating from its systems." In the honeypot test, the first unauthorised connection to the wireless Lans was made in just over two-and-a-half hours. "I think this is pretty worrying," said Tim Pickard, European strategic marketing director at RSA Security. "Every fourth connection is malicious, which is quite high." The honeypots were deployed following research by RSA and Z/Yen that showed a third of wireless Lans in the City are vulnerable to attacks by hackers. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] EU Squabble May Sink Planned Cybercrime Agency
http://boston.com/dailynews/155/technology/EU_Squabble_May_Sink_Planned_C:.shtml By Lisa Jucca Reuters 6/4/2003 BRUSSELS (Reuters) - Plans for a European agency to tackle cybercrime such as computer viruses and terror attacks may be scuppered by bureaucracy because governments want to monitor it too tightly, EU officials said on Wednesday. The European Network and Information Security Agency, which would play a key advisory role to the 15 EU governments on how to combat Web-related threats, was expected to be up and running by the end of this year. However member states now say they want to directly appoint members of the management board, which would oversee the work of the agency. They are also seeking to axe a planned advisory panel meant to give voice to the industry, EU officials said. The Commission is fiercely opposing an overhaul of its planned structure and is threatening to withdraw the proposal. ''This debate is unnecessary. We are faced with cyber threats on a daily basis and we have no means to respond to them,'' a Commission spokesman said. The European Commission, the EU's executive body which proposed the agency, had wanted the new body to be a slim 30-man operation to rapidly react to virus attacks and other threats. Authorities worldwide have woken up to the dangers of serious network failures, such as those caused by computer worm ''SQL Slammer'' earlier this year. Potential terror strikes are also a source of concern after the September 11 attacks. Internet service providers say the agency would play a very necessary role were it not to be hamstrung by governments' intervention. ''A very significant role exists for the new network security agency,'' said Louisa Gosling, president of Europe's Internet services providers association EuroISPA. ''However, we are worried that unnecessary bureaucracy in the structure of the new agency could seriously impact on its effectiveness.'' The agency is expected to cost the EU around 24 million euros ($28.09 million) in five years. A further nine million euros will be added once 10 new EU members join in May 2004. Its other duties would include EU-wide collection of data on cyber attacks, security risk assessments and pan-EU guidelines. Individual member states already operate crisis units -- called Computer Emergency Response Teams -- against threats posed by Internet hackers and spreaders of computer viruses. But the system lacks central coordination. Member states want to continue to rely mainly on the CERTS and fear the agency may interfere with their functioning. The EU has harmonized legislation against cybercrime. Under the EU rules, hackers seeking unauthorized access to a computer system can face several years in jail. ($1-.8542 Euro) - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Internet Explorer Object Type Property Overflow
Forwarded from: "Derek Soeder" <[EMAIL PROTECTED]> Internet Explorer Object Type Property Overflow Release Date: June 4, 2003 Severity: High (Remote Code Execution) Systems Affected: Microsoft Internet Explorer 5.01 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 6.0 Microsoft Internet Explorer 6.0 for Windows Server 2003 Description: The "Object" tag is used to insert objects such as ActiveX components into HTML pages. The "Type" property of the "Object" tag is used to set or retrieve the MIME type of the object. Typical valid MIME types include "plain/text" or "application/hta", "audio/x-mpeg", etc. A buffer overflow has been discovered in the "Type" property of the "Object" tag. While there is buffer checking in place, the buffer checking can be overcome by using a special character. From there, the exploitation is a simple, stack-based overflow that allows the remote attacker to run code of his/her choice on the target system. This attack may be utilized wherever IE parses HTML, so this vulnerability, affects newsgroups, mailing lists, or websites. Note: Due to the popularity and prevalence of ActiveX on the Internet, users running Windows 2003 "Enhanced Security Configuration" Mode may have chosen to re-activate the ability to view active content for all websites instead of continually adding websites to the "Internet" or "Trusted" zones on a per-site basis. These users should be aware that they are at risk for this vulnerability and should apply the necessary patch. Technical Description: This example was designed for Windows 2000 with .Net Framework and the latest IE. Cooler Than Centra Spike Give or take a few '/' characters depending on the system. The issue is relatively simple and interesting: the '/' character is changed into '_/_' (three characters) after the string is checked for proper buffer size. Because of this expansion, we are able to overrun the bounds of the buffer. This allows us to take control of key registers so as to run code that we specify, which will be available at the EDX register. At this point a JMP EDX is called, and from there the payload can be executed. This issue was discovered by using the same automated testing tool with which we found the Shockwave, MSN Chat, and PNG issues. Additional time was saved through "eVe", a proprietary vulnerability tracing tool which allows for the viewing of checked and unchecked buffers as they are processed in memory. Protection: Retina® Network Security Scanner (http://www.eeye.com/Retina) has been updated to identify this latest Internet Explorer vulnerability. Vendor Status: Microsoft was notified and has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS03-020.asp Credit: Drew Copley, Research Engineer, eEye Digital Security Greetings: Thanks to Riley Hassell, Research Engineer -- for eVe, and various other research help. Welcome to Unyun, of ShadowPenguin fame -- he swears there are no ninjas left in Japan, but he is lying, and he is one. Also gr33t5 to... the Shadow, Wolverine, the Hulk, and the Punisher. Copyright (c) 1998-2003 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail [EMAIL PROTECTED] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Feedback Please send suggestions, updates, and comments to: eEye Digital Security http://www.eEye.com [EMAIL PROTECTED] - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
RE: [ISN] This computer security column is banned in Canada
Forwarded from: Tony | AVIEN / EWS <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] There are articles and papers everywhere talking about why Security Through Obscurity doesn't work as an effective security measure. It is a bureaucratic dream that if only you pretend the problem doesn't exist or hide its existence from the general population that the problem will go away. Do the students have to develop new viruses to learn about viruses- no. But, to quote Albert Einstein "You cannot solve the problem with the same kind of thinking that has created the problem." I think that to develop the next generation of virus defense we need people to get into the minds of the virus writers and think like them- use their tools, work the way they work. Maybe by doing so they can find the chinks in the armor before the bad guys and develop proactive tools instead of the reactionary virus defense we currently have. Read the article I wrote on this controversial topic: http://netsecurity.about.com/cs/generalsecurity/a/aa060303.htm Tony Bradley, CISSP, MCSE2k, MCSA, MCP, A+ About.com Guide for Internet / Network Security http://netsecurity.about.com Click here to sign up for the weekly Internet / Network Security Newsletter: NetSecurity Newsletter - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
Re: [ISN] OpenBSD Gets Harder to Crack
Forwarded from: Russell Coker <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Timothy Dyck wrote in a review of OpenBSD: > However, while mandatory access controls do make systems harder to > administer, we've found the approach a very powerful defense in > tests and would welcome the option to use these techniques with > OpenBSD. One point you may use to strengthen your arguements for MAC in discussions with BSD people is their use in testing software. When you write MAC policy for an application using a system such as SE Linux that has fine grained controls you get a good knowledge of the details of it's operation. I have discovered many bugs in Linux programs through writing SE Linux policy and observing which programs try to violate the policy. One of the most common bugs I find is applications and libraries which fail to close file handles before executing other programs. I have found this in LDAP library code, the PCMCIA cardmgr process, many other programs, and even in the kernel itself! Some of these bugs have been fixed because of my work alone, and might otherwise still be present and unknown in Linux systems. My work on SE Linux is providing benefits for people who will never use it though getting some of these bugs fixed. Another thing to note is that although administering a system with MAC involves more work (and more skill) than a regular Unix system, you are not compelled to use it. Having a MAC system as an option for those who want it does not seem to offer any cost. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] HHS boosting cybersecurity
http://www.fcw.com/fcw/articles/2003/0602/web-hhs-06-04-03.asp By Sara Michael June 4, 2003 The Department of Health and Human Services has expanded its contract with iDefense Inc. to provide cyberthreat intelligence to the entire department. Reston, Va.-based iDefense will help the department protect its computers, networks and Internet functions with the company's iAlert intelligence service. The service will provide intelligence reports to keep HHS officials aware of possible risks. The company delivers the intelligence reports via e-mail, a secure Web interface and wireless devices. "The Department of Health and Human Services is setting the standard for proactive defense by uniformly equipping all of its agencies with the capability to quickly deploy countermeasures against emerging threats before they can cause any damage," iDefense vice president of intelligence operations John Frazzini said in a statement. IDefense will provide the following services for HHS: * Daily intelligence reports providing early warning notification and analysis on cyberthreats. * Proactive countermeasure information, such as patches and workarounds, to avoid damage from the latest vulnerability. * Profiles of threats, including individual and groups of hackers and areas of increased malicious cyberactivity. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Hibbing man will fight hackers
http://www.duluthsuperior.com/mld/duluthsuperior/news/6014532.htm BY STEVE KUCHERA NEWS TRIBUNE STAFF WRITER June 05, 2003 Hibbing native Mike Swanson has long enjoyed computers. Now he's on the path to protecting them. Swanson, a recent University of Wisconsin-Superior graduate, is entering the federal Cyber Corps program, which will pay for his master's degree. In exchange, he'll work for the government for at least two years, defending the country against Internet hackers and terrorists. "It's new, it's cutting-edge," he said. "It's ironic that part of our learning curve is to learn how to hack computers so we can prevent future hacking." Attacks on the Internet and computers are increasing. According to the Computer Emergency Response Team/Coordination Center at Carnegie Mellon University, 82,094 such incidents were reported last year. That compares with 55,100 during 2001 and 21,756 during 2000. "It's very easy to attack the Internet -- there are no boundaries," said Vipin Kumar, director of the Army High Performance Computing Research Center. "You sit anywhere and attack a computer anywhere in the world." The center is working with the University of Minnesota-Twin Cities to develop an intrusion detection system to help prevent cyberattacks on computer systems. Luckily, Kumar said, many of the attacks are launched by solitary hackers who are bored and doing it for their own pleasure. "If an organized entity launches these attacks, they will be meant to do big damage," he said. "And the amount of damage that can be done is enormous." To help defend against such attacks, the National Science Foundation announced in May 2001 that it would pay for Scholarship-for-Service programs at six colleges, including the University of Tulsa in Tulsa, Okla. Swanson is one of just 12 students accepted for Tulsa's Cyber Corps program next fall. The federal government will pay the students' tuition and room and board, travel to conferences and a stipend. Between his two years of graduate school, Swanson will learn firsthand about computer security at a federal agency during a summer internship. After he graduates with a master's degree in computer science as well as several federal computer security certificates, he'll go to work for the federal government. Swanson was excited when he learned the government had accepted him to the Cyber Corps program. "I was just blown away," he said. "They pay for everything. "The prof at Tulsa put it to me in this way," Swanson said. " 'You can go to work for Microsoft and make six figures in a few years. Or you can go to work for the government and not make as much money, but you're going to have a life. You're not going to have red eyes, sitting in front of a computer monitor for 16 hours a day. You're going to have time for family, vacations.' " Swanson, 23, decided in high school to make computers his career. "I took a programming class, and I was fairly good at it," he said. However, his interest in computers began earlier. "When I was about 6, 7, 8, I use to copy programs out of a book," Swanson said. "I had no clue what I was doing. I would just type each character. I would be excited just to see what would happen on the screen." Despite his interest in computers, Swanson hadn't planned on going to college, far less to grad school. "Then I went to HCC and got my AA degree," he said, referring to Hibbing Community College. "Then, nearing the end of my schooling at HCC, I thought I might as well look for a four-year degree." He decided to pursue a degree in computer science at UWS because of the school's small size and reputation for one-on-one attention. It's because of one of his instructors, Victor Piotrowski, that Swanson learned about the Cyber Corps program and will now work toward a master's degree. Piotrowski once asked Swanson to perform some research on computer security and the Cyber Corps program. "One day he said to me, 'Have you thought about graduate school?' " I said 'not really.' Here I was, nearing the end of my bachelor's's degree and I'm going on again. It has to end sometime soon." - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Windows & .NET Magazine Security UPDATE--June 4, 2003
This Issue Sponsored By TNT Software http://list.winnetmag.com/cgi-bin3/DM/y/eREo0CJgSH0CBw07mN0Ag Panda Software http://list.winnetmag.com/cgi-bin3/DM/y/eREo0CJgSH0CBw0BAft0AT 1. In Focus: Cybercrime; Microsoft Hotfix; Eliminating Spam 2. Security Risks - Multiple Vulnerabilities in Microsoft IIS - DoS in Microsoft WMS for Win2K and NT - Buffer Overrun in AnalogX Proxy Server for Windows - Remote Compromise Vulnerability in BadBlue Personal File Sharing Program 3. Announcements - Cast Your Vote in Our Annual Readers' Choice Awards! - Windows & .NET Magazine Connections: Fall Dates Announced 4. Security Roundup - News: Magazine Announces Best of Show Finalists - News: TrustZone Added to ARM Processor Architecture - News: HP Releases New Systems with Chip-Based Security 5. Security Toolkit - Virus Center - FAQ: Why Can't Some of Our Users Change Their Passwords? 6. Event - Security 2003 Road Show 7. New and Improved - Set a Trap for Intruders - Protect AD from Rogue Administrators - Submit Top Product Ideas 8. Hot Thread - Windows & .NET Magazine Online Forums - Featured Thread: Security Rights for Laptop Users 9. Contact Us See this section for a list of ways to contact us. Sponsor: TNT Software Experience the Benefits of Real Time Monitoring Poring over event records after the fact? Are undetected DoS attacks a constant threat? Could unauthorized webmasters take artistic liberties to your homepage without you knowing about it? There is an affordable solution. ELM Enterprise Manager monitors your security perimeter and alerts you by page, email, or instant message in time to take prompt action. Download your FREE full featured 30 Day evaluation copy NOW and start experiencing the benefits for real time monitoring. http://list.winnetmag.com/cgi-bin3/DM/y/eREo0CJgSH0CBw07mN0Ag 1. In Focus: Cybercrime; Microsoft Hotfix; Eliminating Spam by Mark Joseph Edwards, News Editor, [EMAIL PROTECTED] The Computer Security Institute (CSI) released the "2003 Computer Crime and Security Survey," its eighth annual report conducted in association with the FBI. The report shows that despite shifts in trends, cybercrime remains a serious problem, as you well know. Highlights from the report show that financial losses from security breaches have dropped by about 56 percent. Last year, respondents reported losses of about $455,848,000; this year, respondents reported losses of about $201,797,340. However, though financial losses dropped, roughly the same number of incidents occurred. The report indicates a huge drop in losses from financial fraud, the most costly security problem. Last year, losses totaled $116 million; this year, losses totaled about $9.1 million. The largest losses came through the theft of proprietary information, with respondents reporting an average loss of about $2.7 million. For the second most costly security problem, however, Denial of Service (DoS) attacks, losses increased about 250 percent--to more than $65.6 million. According to CSI Director Chris Keating, "The trends the CSI/FBI survey has highlighted over the years are disturbing. [Cybercrimes] and other information security breaches are widespread and diverse. Fully 92 percent of respondents reported attacks; furthermore, such incidents can result in serious damages ... Clearly, more must be done in terms of adherence to sound practices, deployment of sophisticated technologies, and most importantly adequate staffing and training of information security practitioners in both the private sector and government." If you want to see the complete survey results, you can obtain a copy by submitting a request form at the CSI Web site. http://www.gocsi.com/forms/fbi/pdf.html Microsoft Hotfix Speaking of cyber attacks, you're probably aware that Microsoft has released a new security bulletin, MS03-019 (Flaw in ISAPI Extension for Windows Media Services Could Cause Code Execution). According to Microsoft, the problem affects Windows 2000 and Windows NT systems. The company initially rated the problem's severity as "moderate," noting that the DoS would lead to the server rebooting itself. However, Mark Maiffret of eEye Digital Security pointed out that according to his company's tests as well as the tests that vulnerability discoverer Brett Moore conducted, the problem is far more serious than Microsoft first indicated. The tests show that the problem isn't simply a Denial of Service (DoS) issue. According to Maiffret, "If you're running Windows Media Services on IIS, attackers can spawn a remote shell command prompt on your vulnerable system." Microsoft has modified the vulnerability rating to "important" and re-released its related security bulletin. Administrators should patch their systems soon as pos
[ISN] Compromised Private Branch Exchange (PBX) and Telephone Voice MailSystems
The following information, recently received from the Federal Bureau of Investigation, is forwarded for your information. It may be further disseminated without restriction in any manner you chose. Homeland Security Information Bulletin Compromised Private Branch Exchange (PBX) and Telephone Voice Mail Systems June 3, 2003 This Bulletin is being disseminated for information purposes only. The Department of Homeland Security is working with the Federal Bureau of Investigation to address multiple reports from private industry describing incidents involving compromises of Private Branch Exchange (PBX) and telephone voice-mail systems. These compromises allow unauthorized users to make long distance domestic and international telephone calls through the compromised systems. FBI Field Offices in several cities have been working closely with fraud investigators from varioustelecommunication carriers who have reported encountering intruders making numerous international calls. A common scenario for these compromises follows this general pattern: An intruder circumvents a PBX system's security and gains access to a voice-mail system. The intruder may then configure the compromised system to dial out to a domestic or foreign phone number. PBX compromises are not a new vulnerability, but they highlight the need for PBX users to maintain vigilance. These schemes appear to be becoming more prevalent. This illegal activity enables unauthorized individuals anywhere in the world to communicate via compromised US phone systems in a way that is difficult to trace. Reports have also surfaced suggesting that some of these unauthorized calls are being used to connect to local access numbers for internet service providers, thereby giving the caller free Internet service via a modem. An intruder gaining unauthorized access to several mailboxes can redirect repeated calls to a specific number, such as 911, and cause denial-of-service (DoS) activity. While law enforcement and industry investigators work to mitigate these ongoing schemes and prosecute the responsible parties, DHS in coordination with the FBI has chosen to highlight this activity in order to raise awareness among users of PBXs to the possible risk associated with exploitation of the PBX vulnerability. DHS and the FBI recommend that phone system administrators review their internal security policies, enable all password protection functions, change default passwords and continually audit phone billing records to detect unauthorized activity. Users of PBX systems should consider protecting themselves by performing the following basic actions: 1. Periodically change the phone system administrator and maintenance passwords. 2. Lock users out after a limited number of failed attempts at accessing password protected accounts. 3. Mandate that all users create their own passwords and change them periodically. 4. Ensure that passwords are as long as permitted by your system. 5. Properly secure or disable unnecessary features such as call forwarding or call transfer. 6. Assign someone as phone system/voice mail administrator and keep him/her informed of personnel changes. The National Institute of Standards and Technology (NIST) makes available on its Web page NIST Special Publication 800-24 entitled "PBX Vulnerability Assessment - Finding Holes in Your PBX Before Someone Else Does." This provides generic PBX security methodology and vulnerability analysis. The report can be found at: http://www.csrc.nist.gov/publications/nistpubs/800-24/sp800-24pbx.pdf. For specific security and vulnerability information, PBX administrators should consult with their respective PBX system vendor. DHS encourages individuals to report information regarding suspicious or criminal activity to law enforcement or a Homeland Security watch office. Individuals may report incidents online at http://www.nipc.gov/incident/cirr.htm. Federal agencies/departments may report incidents online at https://incidentreport.fedcirc.gov. cContact numbers for the IAIP watch centers are: for private citizens and companies, (202) 323-3205, 1-888-585-9078 or [EMAIL PROTECTED]; for the telecom industry, (703) 607-4950 or [EMAIL PROTECTED]; and for Federal agencies/departments, (888) 282-0870 or [EMAIL PROTECTED] Contact information for the FBI's field offices can be found at http://www.fbi.gov/contact/fo/fo.htm. DHS intends to update this Bulletin should it receive additional relevant information, including information provided to it by the user community. Based on this notification, no change to the Homeland Security Advisory Level is anticipated; the current HSAS level is YELLOW. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
RE: [ISN] This computer security column is banned in Canada (Threemessages)
Forwarded from: Pete Lindstrom <[EMAIL PROTECTED]> The existence of articles does not mean that the assertions are true. The fact is, we practice security through obscurity every day in the security space. We don't divulge what solutions/techniques we use to protect our systems; we encrypt meaningless data to make it harder to pick out important stuff; we use honeypots to deceive attackers; we change port numbers for common services, etc. Heck, even the use of passwords is a form of security through obscurity. (Now is where you smirk and say "yeah, see where passwords got us..." but there is no denying the universal use as a basic form of security, and there aren't many people doin something different). Security through obscurity gets a bum rap in the security profession because it is often an excuse for inaction. I believe it is one of many tactical approaches that are useful as part of a strong security program as long as people understand its limitations and don't rely on it too heavily. Let's face it - we need all the help we can get. If a little bit of obscurity helps (and I think it can at least temporarily and in specific areas) then use it. Just don't base your entire security program on it. The next generation of virus defense is already developing - in the form of host intrusion prevention and trusted operating systems (yes, I mean Palladium). We should be spending our time making them less intrusive, more manageable, and more flexible in heterogeneous environments. Teaching someone to write viruses is a sexy-cool way to get some attention, but logically flawed and distracting as a strong way to develop virus defenders. We need to teach people how to detect viruses amidst a sea of good processes and understand how they act in their attack, payload, and propagation vectors, then teach them how to identify the many attack points in software. Why not teach a class on how to detect and stop viruses? Because it doesn't have the sexy-cool factor, that's why. There is much, much more to security than catering to the rock-star coolness of writing a virus that will take over the world (eventually one of the students will have to try it). The benefits do not outweigh the risks, and there are plenty of alternatives that "think differently" and are less risky. Pete -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of InfoSec News Sent: Thursday, June 05, 2003 4:39 AM To: [EMAIL PROTECTED] Subject: RE: [ISN] This computer security column is banned in Canada Forwarded from: Tony | AVIEN / EWS <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] There are articles and papers everywhere talking about why Security Through Obscurity doesn't work as an effective security measure. It is a bureaucratic dream that if only you pretend the problem doesn't exist or hide its existence from the general population that the problem will go away. Do the students have to develop new viruses to learn about viruses- no. But, to quote Albert Einstein "You cannot solve the problem with the same kind of thinking that has created the problem." I think that to develop the next generation of virus defense we need people to get into the minds of the virus writers and think like them- use their tools, work the way they work. Maybe by doing so they can find the chinks in the armor before the bad guys and develop proactive tools instead of the reactionary virus defense we currently have. Read the article I wrote on this controversial topic: http://netsecurity.about.com/cs/generalsecurity/a/aa060303.htm -=- Forwarded from: Brooks Isoldi <[EMAIL PROTECTED]> With all due respect to the corporate exec who was quoted in the original article as asking "Do they teach classes on how to hack?", but he is obviously not up on todays times and doesn't seem all too bright to me. He had no business being quoted in this article. He may want to check out the NSA Information Assurance program settup in about a dozen universities around the country that have classes in the curriculum on hacking, cryptography/cryptology, and computer security. It really is a no brainer that the best defenders are those who think just like the offenders. Brooks -=- Forwarded from: Julie Ranada <[EMAIL PROTECTED]> A suggestion if people are so alarmed about having UCalgary offer virus-writing classes to their students: why not have Microsoft buy up all the seats in the class and have their programmers attend it... - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] DOD to re-emphasize security
http://www.fcw.com/fcw/articles/2003/0602/web-opsec-06-05-03.asp By Dan Caterinicchia June 5, 2003 FORT LAUDERDALE, Fla. -- The secretary of Defense will soon issue a directive placing a renewed emphasis on operational security (OPSEC) throughout the department. Tom Mauriello, director of the interagency OPSEC support staff, said a document has been awaiting DOD Secretary Donald Rumsfeld's signature since before Operation Iraqi Freedom began that would infuse more funding and guidance in the realm of operational security. Mauriello's comments came during a June 4 speech at the Army Small Computer Program's IT conference. He refused to answer any follow-up questions, and would only tell FCW that there will soon be a "resurgence of emphasis" on OPSEC coming down from the Pentagon. During a high-energy, wide-ranging 90-minute presentation, Mauriello discussed all aspects of OPSEC from the physical through the cyber realm and explained the five-part process: * Collection of critical information, which is not difficult since 80 percent of all data is open source. * Threat analysis. * Vulnerability analysis. * Risk assessment. * Counter measures. Everyone from the acquisition community to human resources personnel to building maintenance are involved in OPSEC, but more work is needed, he said. "A good OPSEC program educates people in all parts of an organization to think this way," Mauriello said. As an example, a government intelligence agency decided to outsource its building maintenance and gave all of its structural plans to 12 potential contractors. Those blueprints included detailed schematics of the buildings, the locations of electronic and electric equipment and sources, and other critical information. Mauriello refused to name the agency, but said officials from there only called him after they realized the magnitude of the mistake they had made. "Many times [people] give information away and don't even know it." - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Report: Most Broadband Users Lack Basic Security
http://www.internetnews.com/infra/article.php/2217421 By Matt Villano June 4, 2003 Is your computer as safe from hackers and viruses as it could be? Even if you think it is, you might be wrong. According to a report released Wednesday by the National Cyber Security Alliance, most broadband cable customers lack the most basic protections against the dangers of a persistent connection to the Internet. The report also highlights a major perception gap on the issue of broadband security - while most consumers believe they have taken adequate steps to protect their computer, only 11 percent actually have safe and securely configured systems. Experts blame this disconnect on a lack of education. Tatiana Gau, Chief Trust Officer and Senior Vice President for Integrity Assurance at America Online, says that while most consumers are aware of security threats such as viruses and hackers, few of them have identified specifically how to tackle these threats head-on and make certain that their personal systems are secure. "Without even knowing they are unsafe, millions of high-speed users are putting themselves and their families at risk by having unprotected broadband," Gau said in a statement released with the report. "A basic broadband connection without protection can be the equivalent of a high-speed sewage pipe into the home." With this in mind, some of the key findings of the report include: * 86 percent of consumers say they keep sensitive health, financial, or personal information on their home computers. * 97 percent of parents with broadband connections do not use parental controls to keep their children safe from inappropriate content and contact with strangers on the Internet. * 91 percent of users have intrusion software, or "spyware," on their home computers, much of it uploaded surreptitiously by music or file sharing programs. * Although 76 percent of consumers have anti-virus software on their computers, only half of that group has updated their software in the past month. * Only 33 percent of all computer users have a properly configured and secure firewall, meaning two out of every three broadband homes are not secure. Experts focus on this last point as one of the most critical statistics in the report as a whole. Properly installed firewalls, though they slow computer performance significantly, are considered some of the best protectors against the dangers of the Internet today. As former Century Communications CEO Bern Gallagher explains it to internetnews.com, few, if any, broadband services offer firewall protection on the server-side, meaning that individual customers must use individual firewall technology to protect their information at home. "The way hackers work, they break into a [broadband] system and go sequentially right down the customer list," said Gallagher, who now consults on broadband issues for a variety of smaller cable firms. "Firewalls stop these guys cold... if they hit one, they just give up and go on to the next computer." Gallagher says that many broadband service providers offer free firewall products upon request. The Alliance also recommends automatically or regularly updated anti-virus software programs, as well as parental control software for households that include children who may be subjected to inappropriate content through spam. The report summarizes a study conducted for the Alliance in the homes of 120 typical broadband consumers by technical experts from AOL. The entire study, entitled "Fast and Present Danger," as well as a list of security precautions broadband consumers can take to make their connections more secure, can be accessed online through the Alliance's "Stay Safe Online" [1] campaign Web site. [1] http://www.staysafeonline.info/ - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Secunia Weekly Summary
=== The Secunia Weekly Advisory Summary 2003-05-29 - 2003-06-05 This week : 58 advisories === An effective security solution starts with a position of expertise. The following 58 advisories are written by Secunia. Customers instantly receive relevant advisories to their unique system by E-mail and textmessage, enabling them to react efficiently. Security Experts at Secunia constantly search for new vulnerabilities and threats. Vast amounts of advisories, vulnerabilities and security news is gathered and assessed daily. - Stay Secure === 2003-06-05 Sun Solaris Sendmail Privilege Escalation Less critical http://www.secunia.com/advisories/8946/ -- Mac OS X LDAP Clear Text User Credentials Less critical http://www.secunia.com/advisories/8945/ -- Sun Solaris syslogd Denial of Service Moderately critical http://www.secunia.com/advisories/8944/ 2003-06-04 Internet Explorer Object Tag Buffer Overflow Vulnerability Highly critical http://www.secunia.com/advisories/8943/ -- newsPHP Arbitrary Field Insertion Vulnerability Less critical http://www.secunia.com/advisories/8942/ -- JBoss JSP Source Disclosure Vulnerability Moderately critical http://www.secunia.com/advisories/8941/ -- OpenPKG update for Ghostscript Less critical http://www.secunia.com/advisories/8939/ -- Red Hat update for kon2 Less critical http://www.secunia.com/advisories/8938/ -- Pablo FTP Server Username and Password Disclosure Vulnerability Less critical http://www.secunia.com/advisories/8937/ 2003-06-03 Linux Kernel Denial of Service Vulnerabilities Moderately critical http://www.secunia.com/advisories/8936/ -- Sun Solaris "in.telnetd" Denial of Service Vulnerability Less critical http://www.secunia.com/advisories/8935/ -- IRCXpro Server Username and Password Disclosure Vulnerability Less critical http://www.secunia.com/advisories/8934/ -- Saarport SPChat Cross Site Scripting Vulnerability Less critical http://www.secunia.com/advisories/8933/ -- Saarport WebChat Cross Site Scripting Vulnerability Less critical http://www.secunia.com/advisories/8932/ -- Xmame Privilege Escalation Vulnerability Not critical http://www.secunia.com/advisories/8931/ -- Sun Management Center Change Manager Buffer Overflow Less critical http://www.secunia.com/advisories/8930/ -- Crob FTP Server Username Format String Error Vulnerability Highly critical http://www.secunia.com/advisories/8929/ -- mod_gzip Multiple Vulnerabilities Moderately critical http://www.secunia.com/advisories/8928/ -- iisCART2000 Upload Vulnerability Highly critical http://www.secunia.com/advisories/8927/ -- Sun Cobalt update for MySQL Less critical http://www.secunia.com/advisories/8926/ -- Webstores 2000 SQL Injection Vulnerability Moderately critical http://www.secunia.com/advisories/8925/ -- Yahoo! Chat and Messenger Hostname Buffer Overflow Vulnerability Moderately critical http://www.secunia.com/advisories/8924/ -- Gentoo update for uw-imapd Less critical http://www.secunia.com/advisories/8923/ -- Forum Web Server Username and Password Disclosure Vulnerability Not critical http://www.secunia.com/advisories/8922/ -- Personal FTP-Server Username and Password Disclosure Vulnerability Not critical http://www.secunia.com/advisories/8921/ -- Desktop Orbiter Multiple Connection Denial of Service Less critical http://www.secunia.com/advisories/8920/ 2003-06-02 MAILsweeper for SMTP RTF Attachment Denial of Service Moderately critical http://www.secunia.com/advisories/8919/ -- Gentoo update for maelstrom Not critical http://www.secunia.com/advisories/8918/ -- Meteor FTP User Enumeration Vulnerability Less critical http://www.secunia.com/advisories/8917/ -- Gentoo update for Apache Highly critical http://www.secunia.com/advisories/8916/ -- Activity Monitor 2002 Denial of Service Vulnerability Not critical http://www.secunia.com/advisories/8915/ -- Titan FTP Server Directory Traversal Vulnerability Less critical http://www.secunia.com/advisories/8914/ -- VisNetic FTPServer Directory Traversal Vulnerability Less critical http://www.secunia.com/advisories/8913/ -- Gentoo update for tomcat Less critical http://www.secunia.com/advisories/8912/ -- Mandrake update for apache2 Highly critical http://www.secunia.com/advisories/8911/ -- Red Hat update for Ghostscript Less critical http://www.secunia.com/advisories/8910/ -- Baby POP3 Server Multiple Connection Denial of Service Moderately critical http://www.secunia.com/advisories/8909/ -- Vignette Story Server Multi
[ISN] Wired Magazine Story to Detail Slammer Web Attack
http://reuters.com/newsArticle.jhtml?type=internetNews&storyID=2886808 By Reed Stevenson June 5, 2003 SEATTLE (Reuters) - Wired magazine is planning to publish the underlying code for the Slammer worm that slowed Internet traffic to a crawl in January, raising questions over whether such articles inspire future hackers or educate potential victims. The article, which will be published in Wired's July issue due out on Tuesday, details how the Slammer worm, also known as "SQL Slammer," spread rapidly through the Internet on Jan. 25, shutting down Internet service providers in South Korea, disrupting plane schedules and knocking out automatic teller machines. The article includes the underlying software code for Slammer. "The thing to note here is that the people who are in a position to wreak havoc on the Internet don't have to read about it on Wired," said Blaise Zerega, managing editor of Wired, which covers a range of subjects centered around technology. "But the people who are in a position to prevent it from happening do read Wired. Our thinking was to shine a light on the problems and issue a wake-up call," Zerega said. Slammer caught many tech-savvy companies by surprise including Microsoft Corp. MSFT.O , which had already installed a critical software patch for SQL software for networked computer servers that would have averted most of the damage. Redmond, Washington-based Microsoft, which even saw some of its own servers running SQL software infected by the Slammer worm, also came under fire although it had issued a patch for the security hole months before Slammer had hit. Vincent Weafer, senior director of security response at computer security company Symantec Corp. SYMC.O , said that while detailed articles could be important in raising computer security awareness, they also needed to be handled with care. "It's something you need to be cautious of, particularly in a broad-based magazine," Weafer said. "You need to be aware of your audience and what you're saying to them," Weafer said. In the article, entitled "Slammed! An inside view of the worm that crashed the Internet in 15 minutes," writer Paul Boutin details how Slammer's computer code infiltrates a software programs and replicates itself. Slammer caused damage by duplicating itself rapidly and spreading to other vulnerable computers, clogging Internet traffic. The article does not provide details on how to plant the worm, or how to erase any trace of doing so, which would be the most important step for a malicious hacker who wanted to avoid being caught, experts noted. "I think the approach to safeguarding the Internet should not be break and fix," said Wired's Zerega, "It should be proactive and that's what we're doing here." - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] 'High Risk' Virus Spreading Rapidly
http://www.eweek.com/article2/0,3959,1118559,00.asp By Dennis Fisher June 5, 2003 A new variant of the dangerous Bugbear virus is on the loose and has begun spreading rapidly. Bugbear.B is quite similar to the original virus except that the new version contains a keystroke logger and is capable of changing its appearance to evade detection. As of about 4 p.m. EDT Thursday, MessageLabs had stopped more than 55,000 copies of the new strain of Bugbear, which is infecting about one in every 200 pieces of e-mail, according to the company's statistics. The fast-moving Bugbear.B virus continued to spread Thursday afternoon, but most of the damage has been done outside the United States. England and Italy have been the hardest hit so far, according to statistics compiled by New York-based e-mail security provider MessageLabs Inc. Anti-virus experts say the infection method and behavior of the virus should come as no surprise. And yet, users continue to open the infected attachments, wreaking havoc on corporate mail servers and networks. "We can stop looking for worms of mass disruptionBugbear.B is it. The original Bugbear was amongst leading disrupters of business activity in 2002, and Bugbear.B is poised to follow in its footsteps," said Brad Meehan, director of product management, eTrust Threat Management Solutions, at Computer Associates International Inc., in Islandia, N.Y. The virus first showed up on the Internet Wednesday, and anti-virus companies say that it has been infecting PCs at an alarming rate. Message Labs Inc., a New York-based e-mail security company, has stopped more than 17,000 copies of the virus since last night. Bugbear.B is the second virus to make waves this week, following in the footsteps of Sobig.C, which hit the Internet on Monday. Bugbear.B is a typical mass-mailing virus, containing its own SMTP engine. The sending address and subject line on the virus-infected e-mails vary widely and appear to be random. Bugbear.B is capable of spoofing addresses in several domains, some of which are high-profile companies such as Microsoft Corp., and several financial concerns. The attachment containing the virus also has a random name, but is always 73.728 kb and has either a .pif, .exe or .scr file extension. The text in the e-mail message varies, as well. Once resident on a PC, the virus creates a file that stores all of the keystrokes typed on the infected machine. Bugbear.B is also capable of disabling several kinds of anti-virus software and personal firewalls. Network Associates Inc.'s McAfee Security unit has classified Bugbear.B as a high risk. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Security can't stop Asian hackers
http://zdnet.com.com/2100-1105_2-1010044.html By Winston Chai CNETAsia May 27, 2003 A survey has found that nearly three-quarters of businesses in Asia have suffered from network intrusions in the past, says market research firm IDC. According to IDC's recent survey of over 1,000 companies across nine countries in Asia-Pacific, 72 percent of enterprises have experienced an Internet security breach while 39 percent felt their online threats have increased in the past year. And while 97 percent of those surveyed have some form of Internet security in place, these tended to be off-the-shelf anti-virus products, said Nathan Midler, a senior analyst with IDC Asia-Pacific. "The perception that security threats are increasing, coupled with further integration of e-business in the Asian workplace, is driving enterprises to look beyond anti-virus software," he added. They may turn to a provider for corporate-class security services, such as disaster recovery services, encryption technology, and intrusion detection, he said. The survey covered Australia, Malaysia, Singapore, and Thailand, India, South Korea, Hong Kong, Taiwan, and China, with 1,021 organizations interviewed, all of which had over 100 employees and at least a computer network. In a related announcement, the firm today adjusted its regional technology spending forecasts downwards in light of the Sars (Severe Acute Respiratory) outbreak. IDC said in a statement the disease will have a "significant but not dramatic" impact on the Asian tech sector. The firm has just taken $1bn (£610m) off its 2003 regional IT market estimate of $77.1bn (£47bn). IDC said it now expects the Asian IT market to grow by 6.1 percent this year, compared with the former projection of 7.6 percent. The firm said much of the vendor's pain will be felt this quarter, but the blow should be significantly softened by the third and fourth quarters of 2003. While the outbreak has had an immediate effect on vertical sectors such as travel and hospitality, its toll on tech companies will be more prolonged and varied. Some IT buyers may have tightened their purse strings in the short term, while others have started taking notice of disaster recovery and mobile workforce products such as telephone and video-conferencing. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Microsoft Pulls XP Update Over Glitch
http://www.washingtonpost.com/wp-dyn/articles/A45119-2003May27.html By TED BRIDIS The Associated Press Tuesday, May 27, 2003 WASHINGTON - Microsoft Corp. withdrew a security improvement for its flagship Windows XP software after it crippled Internet connections for some of the 600,000 users who installed it. Microsoft officials said Tuesday the update - which had been available as an option since Friday on its "Windows Update" Web site - apparently was incompatible with popular security software from other companies, such as Symantec Corp. Microsoft said Internet connections failed immediately for an unspecified number of more than 600,000 computers using Windows XP who downloaded and installed the update. Consumers could reconnect only by removing the update, which promised to improve reliability for types of secure Internet connections commonly used by corporations. The glitch occurs amid a debate in Washington among cybersecurity experts whether the technology industry should test the reliability and security of such updates more aggressively. Hackers can easily attack government systems where updates aren't installed routinely, but some experts install them only reluctantly because of worries about unintended consequences of some updates. A White House plan completed this year instructed the General Services Administration to work with the Homeland Security Department to study the effects of software patches on hundreds of computer programs. The plan said the government will share its findings with the technology industry. That provision fell short of earlier drafts of the White House plan, which urged industry to create its own testing center that would make sure updates don't cause additional security problems. Some experts complained it wasn't feasible because of the complexity of studying millions of possible hardware and software combinations. Microsoft was still investigating the latest glitch, which affected an obscure security technology in Windows. The update should have allowed traveling executives, for example, to connect more securely and more reliably from a hotel room back to their corporate computer networks. Microsoft said the changes it made complied with the latest industry standards, and said early indications linked the problems to some popular third-party products, such as protective firewall software sold by other companies. Microsoft would not say how many of its customers reported problems but said it was a small number. The company pulled the update from its Web site over the Memorial Day weekend; officials could not say when the update might be available again. "Most systems didn't crash; they simply lost network connectivity," said Michael Surkan, a Microsoft program manager for its networking communications group. "There were hundreds of thousands of people who downloaded this, and we know of only a handful of people who had the problem." Because the software update was considered a security improvement and not an urgent repair, it was available only to customers who specifically visited the Windows Update site Friday. Other repairing patches can be delivered automatically to consumers. On the Net: Affected software update: http://support.microsoft.com?scidkb;LN;818043 - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
Re: [ISN] ISS hatches 'virtual patching' plan (Three messages)
[Due to some technical problems beyond our control, the editiing of these messages might be a little munged, along with the PGP signature on the last reply. - WK] Forwarded from: Michael J. Reeves <[EMAIL PROTECTED]> This brings up an interesting point regarding add-on software. HOW much attention is paid to the alerts and logs??? The other day, I d/l'd a file and saved it. My Firewall and Anti-Virus did NOT detect any problem with the file. I opened it expecting one thing, and nothing appeared to happen. Closer examination revealed that it was a *.SCR file. Missed that!!! My firewall notified me that a NEW program was trying to access the internet, and asked should I "BLOCK" access. This sent up a "RED-FLAG" for me!!! I instructed it to establish the BLOCK-RULE, and proceeded to investigate. Turned out is was a new variation of an old trojan, BACKDOOR.LITMUS.203. Having some experience with this stuff, I rebooted the system from a boot disk, moved the suspected files (now 2) into a safe subdirectory, and rebooted the system. I, then, searched the REGISTRY and *.INI files for entries referring to these files and deleted them. I submitted the files to my Anti-Virus publisher for analysis with the results noted previously as to the trojan. They are now updating their definitions files. The one thing that my Anti-Virus program did NOT do was to CHECK the REGISTRY for entries indicative of KNOWN virus and/or trojans. Perhaps this should be suggested??? IMHO MJR InfoSec News wrote: > http://www.nwfusion.com/news/2003/0526isspatch.html > > By Ellen Messmer > Network World Fusion > 05/26/03 > > Internet Security Systems is readying technology it says could > benefit companies fed up with current patch management techniques. > > More precisely, ISS will enable its vulnerability-assessment scanner > to gang up with its network- and host-based intrusion-detection > systems (IDS) to stop newly discovered attacks or worms that could > damage unprotected servers or desktops on enterprise networks. Michael J. Reeves, AA, ASc MJR Consulting Services Sacramento, California 95842 E-Mail: [EMAIL PROTECTED] -=- Forwarded from: Steve Manzuik <[EMAIL PROTECTED]> http://www.nwfusion.com/news/2003/0526isspatch.html If anyone needs to be concerned with patching its ISS but I don't think that their new buzzword will get the job done. > More precisely, ISS will enable its vulnerability-assessment scanner > to gang up with its network- and host-based intrusion-detection > systems (IDS) to stop newly discovered attacks or worms that could > damage unprotected servers or desktops on enterprise networks. The last time I tested ISS' host based "product" it did not work on HP-UX, caused issues on Solaris installs, and blue screened 3 out of 5 Windows 2000 boxes. Don't get me started on the unreliability of their network based product either. Too bad my client wasn't as amused with the failures as I was considering they shelled out close to 100K for the ISS solution. Their scanner product is pretty good though, with all the keygens and cracks floating around for it script kiddies seem to love it and with all the false positives it generates the kiddies won't get anywhere. With the high overhead created by using ISS products it almost makes me wonder if patch management isn't cheaper. > ISS CTO Chris Klaus calls the idea "virtual patching" because it > could eliminate the need to immediately apply server or desktop > software patches, which are often required to combat new attacks > that exploit software holes. Instead of having to rush to patch the > application or operating system software to stop a fast-moving worm > from taking over vulnerable systems, ISS would be able to have its > IDS ready to take certain steps to stop specific attacks aimed at > the target machine. A proper security framework already eliminates the need to rush out and patch non-critical boxes. Even with this "revolutionary" product it makes sense for IT departments to patch critical systems. > "Patching is unattainable. There's no Fortune 1000 company doing it > across all its systems," contends Klaus, who points out that > sometimes vendors stop supplying patches for their legacy products. > "For instance, Microsoft is no longer supporting patching for > Windows NT." Does ISS Server Sensor even support and work on Windows NT? Does anyone have any success stories with this product on NT? Patching is not unattainable if the proper framework is put in place in the first place. Proper processes can solve a lot of the patching issues. > Next month ISS will add the virtual patching capability to its > vulnerability-assessment tool, Internet Scanner 7.0, which runs on > Windows 2000. But K
[ISN] HIPAA One Step at a Time
http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,81439,00.html By Jean Consilvio MAY 26, 2003 Computerworld The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is putting a financial strain on most hospitals these days. It's forcing them to measure and account for data in ways they never had to before. At Baptist Health Care Corp., CIO Dave Garrett used tools from Superior Consultant Co. in Southfield, Mich., to do a gap assessment and to identify deficiencies in HIPAA compliance. The company's IT team then made a remediation plan. One of the first things Garrett did was centralize and coordinate the destruction of protected health information. Instead of shredding documents in small batches, Garrett brought in huge locked bins with small slits just large enough to slide through paper, radiology film and magnetic tapes. Baptist contracted with a company that's bonded and insured to empty the bins, either by shredding the bins' contents under lock and key in the contractor's truck in the parking lot or, if the volume is too large, back at its plant. "People love it because they say they don't have to waste time standing around in front of the shredder anymore," says Garrett. To comply with HIPAA requirements, the electronic systems at Baptist are password-protected. Users who forget their passwords are automatically e-mailed new passwords. One person handles all security help desk calls. Another project Garrett's Web team worked on was creating a Web-based application that tracks all patient information to comply with the minimum requirements of HIPAA's privacy rules. "Whenever you disclose information on a patient, it asks you certain information about the patient and who you're disclosing information to. It keeps track of the date and time of the request, and it keeps it by medical record number or Social Security number. There's a couple of different ways it tracks it, and it's stored in a database on a server," Garret explains. This is called the disclosure/capture component. At Baptist Hospital, only the medical records department does the reporting disclosure. "One of the things that HIPAA requires is that you're accountable for seven years to report back, and I've got to be able to produce that list," Garrett says. Instead of buying an application for what he estimates would cost $50,000, his application group wrote code in about two weeks. "We're not in the business of writing applications, but we can when we need to. And the government tells you what to track," he says, which made programming doable. The key to meeting HIPAA requirements is taking reasonable steps, Garrett says, and in many cases, Baptist has gone beyond the minimum of what's expected. "We feel very comfortable with our transaction code sets. We've already started testing them, and we're working on security," he says. The HIPAA deadline to start testing modifications to transactions and code-set standards for transferring patient data was in April. The deadline for compliance is Oct. 16. The hospital's board and senior management have been supportive of all HIPAA efforts, but they don't have much choice. The HIPAA budget last year was $1 million, and it will probably be the same for this year. But it's not just the IT expense that's considered a financial drain. Beyond that million-dollar budget, Baptist Hospital Chief Operating Officer Bob Murphy says, doing things the HIPAA way takes up valuable nursing time. For example, if the hospital has to report child abuse or a sexually transmitted disease, or provide medical information to a third party such as law enforcement or a child's parent, then a nurse has to stop and fill out a two-page paper form before it can be entered into an electronic database. That way, if the hospital is asked five years from now whether that information was documented and protected, it can say yes. "In the ER alone, we're going to have to fill out about 50 forms per week, and that's time that nurses aren't going to be able to spend with patients," Murphy says. The hospital will also have to keep buying more servers and storage, so it's unlikely that its HIPAA budget will shrink. The advantage Baptist does have, says Murphy, is that employees are providing what Press Ganey Associates Inc., a South Bend, Ind.-based company that measures health care satisfaction, says is some of the best service in the entire country to their patients. "And you can build a lot on that," he adds. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Ex-Security Czar Richard Clarke Speaks Out
http://www.eweek.com/article2/0,3959,1108617,00.asp By Dennis Fisher May 26, 2003 During his 30 years in Washington, Richard Clarke evolved from a State Department staffer into the nation's top counterterrorism official and, at the time of his retirement in March, the special adviser to the president for cybersecurity. Along the way, he developed a reputation for knowing how to get things done and also became one of the more polarizing figures in the inner circles of power inside the Beltway. He worked directly for three presidents in a span of 11 years at the White House and was the driving force behind the development of the National Strategy to Secure Cyberspace. He's now working as a consultant to ABC News and several security vendors. Senior Editor Dennis Fisher sat down with Clarke recently in Boston to talk about the state of security in the government and private sector and the development of the new National Cybersecurity Center. eWEEK: When you decided to leave the government, was that something that you planned for a while or was there some proximate cause? Clarke: No, that was something I had planned for 20 years. I had just reached the 30-year mark. I had completed 30 years of government service. eWEEK: The whole establishment of the Department of Homeland Security and the way that was all set up, how much of a role did that play in your decision to leave? Clarke: What we had decided to do, I had been involved with the president and others in helping to decide to create a department in the beginning before the administration had even announced its support for a department. We decided to take the cyber-security components of five different organizations and put them together in the department. Then, when we did the National Strategy to Secure Cyberspace, we intentionally sort of made two-and-a-half of the five priorities things that the new department would have to implement. So there was a plan in place for almost a year to move a lot of this function to the new department. It was one of the key things that the department would do. eWEEK: What's your impression so far of how everything's going there and how the consolidation is working? Clarke: If you think about private sector mergers, where two or three companies have to be put together, you understand that there is a normal period of adjustment. The Department of Homeland Security is trying to merge 22 organizations at the same time so it's that much more difficult. They're obviously having some growing pains. eWEEK: Do you expect that to continue? Clarke: Yeah, if you look at past federal departments coming into existence by merging federal organizations, you look at the Department of Transportation, the Department of Energy, it frequently took four to six years before the organizations thought of themselves as one department. We hope obviously that it's going to go quicker, but the historical record is it takes a little time. eWEEK: One of the big complaints I always hear from private sector folks is that they don't know where to go when they find a new vulnerability or have some other problem. Will this help with that? Clarke: Some people in the past called the National Infrastructure Protection Center at the FBI, some people called the CERT or the FedCIRC, the federal version. The idea of putting all of these organizations together is to create a National Cybersecurity Center, which I think they probably will announce early next month. That center will be the obvious place to make the call. eWEEK: That'll be for incident response, new vulnerabilities... Clarke: Yeah, the center will probably be more than just event response. It'll also be policy development, awareness, public outreach. It should be that thing that we described where the five cyber components come together in one room. The key to making the center work is that the person chosen to head it be sufficiently high-level. They can't be buried in that department. Because the person who's going to head that center has to do the job that in effect I did as the special adviser to the president. So they can't be on the fourth level of the department, and that's something they're still trying to work out. eWEEK: Do you think that'll be someone internal at the department itself? Clarke: No, no. I imagine it will be some nationally recognized expert in cyber-security. eWEEK: That seems like something that would've been a nice fit for you. Was that not something that interested you? Clarke: Ah, no. I had done 30 years of government service, 11 of that with the White House. No one had ever done 11 years continuous service at the White House before. So I had done enough. It's kind of like a sentence of hard labor. eWEEK: Were you surprised to see Howard Schmidt leave so soon after you left? Clarke: No. I think Howard did the right thing. He certainly by leaving sent a message to th
[ISN] U.S. government to get cybersecurity chief
http://www.salon.com/tech/wire/2003/05/25/cybersecurity/index.html By Ted Bridis May 25, 2003 WASHINGTON (AP) -- The Bush administration plans to appoint a new cybersecurity chief for the government inside the Homeland Security Department, replacing a position once held by a special adviser to the president. Industry leaders worry the new post won't be powerful enough. The move reflects an effort to appease frustrated technology executives over what they consider a lack of White House attention to hackers, cyberterror and other Internet threats. Officials have outlined their intentions privately in recent weeks to lawmakers, technology executives and lobbyists. The new position, expected to be announced formally within two weeks, is drawing early criticism over its placement deep inside the agency's organizational chart. The nation's new cyberchief will be at least three steps beneath Homeland Security Secretary Tom Ridge. In Washington, where a bureaucrat's authority and budget depend largely on proximity to power, some experts fear that could be a serious handicap. "It won't work. It's not a senior enough position," said Richard Clarke, Bush's top cyberspace adviser until he retired this year after nearly three decades with the government. Clarke's deputy, Howard Schmidt, resigned last month and accepted a job as chief information security officer for eBay Inc. "While it's not optimal having someone technically that low in the pecking order, it's much better than the current situation," said Harris Miller, head of the Information Technology Association of America, a leading industry trade group. He said success at that level of Washington's bureaucracy is "not mission impossible, it's just a difficult mission." The plan is consistent with Ridge's unease over elevating cyberconcerns above the security of airports, buildings, bridges and pipelines. The agency currently lumps both those issues under its Information Analysis and Infrastructure Protection unit, one of four directorates in Homeland Security. "It's pretty difficult for many businesses and many economic assets in this country to segregate the cyber side from the physical side because how that company operates, how that community operates, is interdependent," Ridge told lawmakers at a hearing this week. The new cyberchief also will be responsible for carrying out the dozens of recommendations in the administration's "National Strategy to Secure Cyberspace," a set of proposals put together under Clarke just before his departure. That plan, completed in February, is drawing criticism because it emphasizes voluntary measures to improve computer security for home users, corporations, universities and government agencies. "I don't think we have a plan," said Rep. Zoe Lofgren of California, the senior Democrat on the Homeland Security subcommittee on cybersecurity. "If we just take a look at that strategy, we're not going to end up with the solutions we need. There's a sense among the committee that there needs to be a little more meat." The government privately acknowledges many of those criticisms. In a previously undisclosed internal memorandum to Commerce Secretary Don Evans, the head of the agency's Bureau of Industry and Security described complaints from technology executives after meeting with them in September in California. The executives felt the government's plan was "not sufficiently strong because many of the key recommendations had been `watered down' and were not `mandatory,"' Undersecretary Kenneth Juster wrote. His organization at the time included the U.S. Critical Infrastructure Assurance Office, which has moved to Homeland Security. The Associated Press obtained a copy of Juster's memo under the Freedom of Information Act. Officials are still looking for candidates for the new position, which will be announced within the next two weeks. Clarke, now a private consultant, cautioned that the administration will have a difficult time convincing a prestigious cybersecurity expert to take the job. Some others predicted that won't be a problem. "Most folks if asked to do this would jump at the opportunity," said Sunil Misra, chief security adviser at Unisys Corp. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Exclusive: HP's printer team in espionage drama
http://www.theregister.com/content/51/30914.html By Ashlee Vance in San Francisco Posted: 28/05/2003 Hewlett-Packard's top secret printer labs are under attack from an audacious rival using the art of deception to gather confidential information. A group of engineers working on HP's next-generation network laser printer have come under siege from a competitor, The Register has learned. Employees have received calls at work and at home from faux members of the HP team, asking for details on a new 9500 series printer code-named Nozomi. HP has fingered the culprit, we are told, although the company's identity cannot be released at this time. The calls started to come into HP's Boise, Idaho labs close to one month ago. The spies would pretend to be supervisors from another part of HP. They would grill engineers about ink cartridges and Nozomi's design. Some workers were also called at home with the spy pretending to take a survey about technology and, yes, ink cartridges. "They know the projects people are working on and where they live," a source said. "They pretend to be someone from another office and ask various questions. They're very smooth in their delivery." An HP spokeswoman declined to comment for this story. HP suspects that a competitor has backed the espionage campaign with close to $1 million in funding. An HP executive flew to Boise to instruct employees on what to do when the enemy (or the press) calls. Placards with directions have been placed throughout the well-guarded labs. HP has a number of fierce competitors in the printer space, including Lexmark, Canon, Epson. and new rival Dell. Corporate espionage is a somewhat common practice in the IT industry. Oracle admitted to keeping an eye on Microsoft by hiring a lobby group, IGI, to buy garbage from pro-Microsoft lobbyists. One of HP's competitors appears to have taken a similar course. HP dominates the printer market and makes a killing in the process, so it stands to reason that rivals want to be in the know. In its last quarter, HP's printing and imaging business generated $918 million in profits. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Lipner Steps Down as Head of MSRC
http://www.eweek.com/article2/0,3959,1110879,00.asp By Dennis Fisher May 28, 2003 Steve Lipner, the head of Microsoft Corp.'s Security Response Center, is stepping down to take a new job at the company. Kevin Kean, a seven-year Microsoft veteran, will be taking over Lipner's duties, Microsoft said Wednesday. This departure marks the second such leadership change at the MSRC in less than a year. Scott Culp, the former manager of the center, quit in December to become a program manager for security strategies under Scott Charney, the company's chief security strategist. Lipner will become the director of security engineering strategy in the Security Business Unit, headed by Mike Nash. Kean is currently a senior group product manager for Windows Server 2003 and has been involved with the Secure Windows Initiative. He joined Microsoft, based in Redmond, Wash., in 1996 as a group product manager for management and communications products. In his new role, Kean will take over responsibility for the company's entire security response organization, a group that regularly comes under harsh criticism from users and security experts alike. The MSRC is responsible for responding to any security issue found in a Microsoft product and is the group that writes the security bulletins and produces patches when flaws are found. As such, it is often the MSRC that receives the brunt of the criticism when users believe that the company is not responding quickly enough to security threats or when a patch causes problems on users' machines. Kean joins the MSRC at a time when Microsoft is focusing much of its internal resources on an attempt to improve the security of its products and the way that it responds to vulnerabilities and customer concerns. In his new role, Lipner will be responsible for defining Microsoft's security development processes and plans for their application to new product generations. His team will also define and execute new programs to help Microsoft customers deploy and operate their systems securely. Lipner, whose title was director of security assurance, has been at Microsoft for more than three years. He joined the company after stints doing at The Mitre Corp. and Digital Equipment Corp., among other places. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Apache group issues update, warns of security hole
http://www.nwfusion.com/news/2003/0528apachgroup.html By Paul Roberts IDG News Service, 05/28/03 For the second time in as many months, the Apache Software Foundation (ASF) released an updated version of the popular open source Web server software, only to warn users of a critical security hole in previous versions of the software that the update patches. The new version of Apache, 2.0.46, was described as "principally a security and bug fix release" in a bulletin released by the open source organization Wednesday. Among those fixes is a patch for a security hole in the mod_dav module that could be exploited remotely, causing an Apache Web server process to crash, according to the bulletin. Mod_dav is an open source module that provides WebDAV (World Wide Web Distributed Authoring and Versioning) protocol support for the Apache Web server. WebDAV is a set of extensions to HTTP that allows users to edit and manage files on remote Web servers. The protocol is designed to create interoperable, collaborative applications that facilitate geographically-dispersed "virtual" software development teams. Few details were available regarding the mod_dav vulnerability, which was first discovered and reported to the Foundation by a researcher at security firm iDefense. Further details regarding the problem will be published on Friday, the bulletin said. In March, Microsoft released a patch for a security hole in a core Windows component used to handle an unchecked buffer in a Windows 2000 component used to handle the WebDAV protocol. That flaw, which has already been exploited by hackers, could enable an attacker to cause a buffer overflow on the machine running Internet Information Server, according to the Microsoft Security bulletin MS03-007. A second fix is for a denial-of-service vulnerability affecting Apache's authentication module. By exploiting a bug in configuration scripts used by a function for password validation, attackers could launch remote denial of service attacks that would cause valid user names and passwords to be rejected, the bulletin said. The vulnerabilities affect versions of Apache ranging from 2.0.37 up to the most recent release, 2.0.45, which came out in April. That latest version was also released in response to a heretofore unknown critical security flaw which, like the mod_dav vulnerability, was discovered by iDefense and described in detail at a later date. As with its last software update, the Apache Software Foundation said that 2.0.46 was the "best version of Apache available" and recommended that users of prior Apache versions upgrade. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Secunia Weekly Summary
=== The Secunia Weekly Advisory Summary 2003-05-22 - 2003-05-29 This week : 51 advisories === An effective security solution starts with a position of expertise. The following 51 advisories are written by Secunia. Customers instantly receive relevant advisories to their unique system by E-mail and textmessage, enabling them to react efficiently. Security Experts at Secunia constantly search for new vulnerabilities and threats. Vast amounts of advisories, vulnerabilities and security news is gathered and assessed daily. - Stay Secure === 2003-05-29 Webfroot Shoutbox Execution of Arbitrary Code Highly critical http://www.secunia.com/advisories/8886/ 2003-05-28 Internet Information Server/Services Multiple Vulnerabilities Less critical http://www.secunia.com/advisories/8884/ -- Windows Media Services ISAPI Extension Denial of Service Moderately critical http://www.secunia.com/advisories/8883/ -- Red Hat update for httpd Highly critical http://www.secunia.com/advisories/8882/ -- Apache Denial of Service and Potential System Compromise Vulnerabilities Highly critical http://www.secunia.com/advisories/8881/ -- UpClient Privilege Escalation Vulnerability Less critical http://www.secunia.com/advisories/8878/ -- Conectiva update for BitchX Moderately critical http://www.secunia.com/advisories/8877/ -- Axis Network Camera HTTP Authentication Bypass Vulnerability Highly critical http://www.secunia.com/advisories/8876/ -- HP-UX update for various network drivers Less critical http://www.secunia.com/advisories/8875/ -- Red Hat update for kernel Moderately critical http://www.secunia.com/advisories/8873/ -- OpenServer update for squid Moderately critical http://www.secunia.com/advisories/8872/ -- EVFS Privilege Escalation Vulnerability Not critical http://www.secunia.com/advisories/8871/ -- SuSE update for glibc Moderately critical http://www.secunia.com/advisories/8870/ -- Conectiva update for netpbm Less critical http://www.secunia.com/advisories/8869/ -- Kazaa and FastTrack P2P Network Client Buffer Overflow Vulnerability Highly critical http://www.secunia.com/advisories/8868/ -- EServ Directory Listing and Unauthorised Proxy Access Moderately critical http://www.secunia.com/advisories/8867/ 2003-05-27 Gentoo update for heimdal Moderately critical http://www.secunia.com/advisories/8866/ -- Gentoo update for Nessus Less critical http://www.secunia.com/advisories/8865/ -- BLNews Execution of Arbitrary Code Highly critical http://www.secunia.com/advisories/8864/ -- CUPS Partial IPP Request Denial of Service Vulnerability Less critical http://www.secunia.com/advisories/8863/ -- Newsscript Admin Access Vulnerability Less critical http://www.secunia.com/advisories/8862/ -- Privatefirewall Filter Bypass Vulnerability Not critical http://www.secunia.com/advisories/8861/ -- AnalogX Proxy Long URL Buffer Overflow Vulnerability Moderately critical http://www.secunia.com/advisories/8860/ -- TextPortal Weak Default Account Password Moderately critical http://www.secunia.com/advisories/8859/ 2003-05-26 Ultimate PHP Board Arbitrary Code Execution Vulnerability Highly critical http://www.secunia.com/advisories/8858/ -- P-News Admin Access Vulnerability Less critical http://www.secunia.com/advisories/8857/ -- ST FTP Service Directory Traversal Vulnerability Moderately critical http://www.secunia.com/advisories/8856/ -- iisPROTECT SQL Injection Vulnerability Highly critical http://www.secunia.com/advisories/8855/ -- Magic Winmail Server Denial of Service Moderately critical http://www.secunia.com/advisories/8854/ -- XMB Cross Site Scripting Less critical http://www.secunia.com/advisories/8853/ -- ShareMailPro User Enumeration Less critical http://www.secunia.com/advisories/8852/ -- Outlook Express File Download Security Restriction Bypass Less critical http://www.secunia.com/advisories/8841/ 2003-05-23 Red Hat update for sharutils Less critical http://www.secunia.com/advisories/8851/ -- iisPROTECT URL Encoding Authentication Bypass Vulnerability Moderately critical http://www.secunia.com/advisories/8850/ -- Sun Cobalt update for glibc Less critical http://www.secunia.com/advisories/8849/ -- Red Hat update for glibc Moderately critical http://www.secunia.com/advisories/8848/ -- Red Hat update for balsa Less critical http://www.secunia.com/advisories/8847/ -- Red Hat update for KDE Moderately critical http://www.secunia.com/advisories/8846/ -- Red Hat update
Re: [ISN] Microsoft Pulls XP Update Over Glitch
Forwarded from: Mark Bernard <[EMAIL PROTECTED]> Dear Associates, What ever happened to the concept of Total Quality Management have we given up on beta testing and other forms of pre-deliver, pre-market testing? These development processes have become so critical to so many people that there needs to be some level of assurance such as that which pharmaceutics are required to comply with. If need be, then it should also be federally regulated. Recently measures were taken to have CFOs certify there books, well if I was a CFO and had stuff like this going I would be very concerned. After all how can you certify the books if the systems that they are running on are running flaky-ware? Good Luck! Mark. - Original Message - From: "InfoSec News" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, May 28, 2003 4:26 AM Subject: [ISN] Microsoft Pulls XP Update Over Glitch > http://www.washingtonpost.com/wp-dyn/articles/A45119-2003May27.html > > By TED BRIDIS > The Associated Press > Tuesday, May 27, 2003 > > WASHINGTON - Microsoft Corp. withdrew a security improvement for its > flagship Windows XP software after it crippled Internet connections > for some of the 600,000 users who installed it. > > Microsoft officials said Tuesday the update - which had been available > as an option since Friday on its "Windows Update" Web site - > apparently was incompatible with popular security software from other > companies, such as Symantec Corp. > > Microsoft said Internet connections failed immediately for an > unspecified number of more than 600,000 computers using Windows XP who > downloaded and installed the update. Consumers could reconnect only by > removing the update, which promised to improve reliability for types > of secure Internet connections commonly used by corporations. [...] - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Windows & .NET Magazine Security UPDATE--May 28, 2003
= This Issue Sponsored By Research in Motion http://list.winnetmag.com/cgi-bin3/DM/y/eQ6U0CJgSH0CBw0BAOr0AM Windows & .NET Magazine http://list.winnetmag.com/cgi-bin3/DM/y/eQ6U0CJgSH0CBw06Kw0A5 = 1. In Focus: Security Tools: Everybody Has Favorites 2. Security Risks - DoS in Cisco IOS 3. Announcements - Get Windows 2003 Active Directory Answers in a New eBook! - Back by Popular Demand--Windows & .NET Magazine's Security Road Show! 4. Security Roundup - News: Microsoft Launches Virus Information Center as Deceptive Worm Floods Inboxes - Feature: Improve Security with XP's Command-Line Tools - Feature: The Security of EFS 5. Instant Poll - Results of Previous Poll: Managing Junk Mail - New Instant Poll: Windows Update and SUS 6. Security Toolkit - Virus Center - FAQ: What Are the Differences Between Usrmgr.exe and Musrmgr.exe? 7. Event - Windows & .NET Magazine Web Seminar 8. New and Improved - Remove Risks in P2P File Sharing and IM Applications - Inoculate Windows 2003 - Submit Top Product Ideas 9. Hot Thread - Windows & .NET Magazine Online Forums - Featured Thread: Continuous Password Attacks 10. Contact Us See this section for a list of ways to contact us. Sponsor: Research in Motion NEW BLACKBERRY SECURITY WHITE PAPER Prevent wireless handhelds from compromising your enterprise security! Download the BlackBerry Security White Paper for Microsoft Exchange and learn how the BlackBerry security architecture addresses data encryption, corporate firewalls, lost devices, and other critical security concerns. http://list.winnetmag.com/cgi-bin3/DM/y/eQ6U0CJgSH0CBw0BAOr0AM 1. In Focus: Security Tools: Everybody Has Favorites by Mark Joseph Edwards, News Editor, [EMAIL PROTECTED] Handling information security is a tedious task. Having decent tools at your disposal makes the job easier to accomplish. Of course, some tools are more valuable than others, depending on the tasks at hand. You probably use some of the many security tools available today--to secure cross-network communication links, network borders and segments, servers, workstations, mobile devices, data storage systems, forensics, and more. Tool developers and vendors tout their wares, but what they say about their tools doesn't always provide enough insight into what a hands-on experience with a given tool might be like. You've probably found choosing which tools to use in a given scenario a challenge. One must review the possibilities, ask for recommendations, then investigate the most suitable tools to see which might meet a given set of needs. Nevertheless, you probably have a few favorites--depending on which tasks you need to perform. As a publisher of computing-related information, our publications review tools and present information about those tools in as unbiased a fashion as possible. But we can review only a fraction of the many tools available. At the same time, hundreds of thousands of people read our publications, and vast numbers of you have accumulated great hands-on experience with various security-related tools. Because many of you who read this newsletter are probably administrators who deal at some level with information security, I'm asking you what your favorite security tools are. Given the broad range of security tools available, I plan to leave the question wide open. I've no way of knowing which variables affect your network environment and your work--and thus your choice of tools. Perhaps you depend upon a particularly useful authentication tool, Wi-Fi (the 802.11b wireless standard) tool, encryption tool, Intrusion Detection System (IDS), firewall, packet analyzer, file system analyzer, scanner, Web protection, database protection, log analyzer, or spam prevention technology. Rather than developing a list of possible categories, I'm asking you to nominate the tools that serve you best. Whether you have one favorite tool or many, you probably like them because they're useful. Your experience can help others who might need such tools. If you're a security administrator (no developers or vendors, please), I hope you'll take time to send me an email message listing your favorite one or two tools (respond anonymously if you prefer). Prefix the subject of your response with "[Tools]" so that I can more easily gather the email messages and tally the results. In the body of the message, please list each of your favorite tools, and for each tool include the tool name; URL for each tool if possible; the platforms it runs on; whether the tool is commercial, shareware, or freeware; and a paragraph about the tasks it handles successfully. After June 12, I'll compile your responses and let you know the results when they're available. ==
[ISN] UK plc neglects basic VPN security
http://www.theregister.co.uk/content/55/30939.html By John Leyden Posted: 29/05/2003 Corporate UK is failing to configure and manage its firewalls and VPN services properly. Just like more publicised Web server vulnerabilities, issues with security software are frequently left unaddressed - months after a problem comes to light. The Fifth Annual NTA Monitor Security Audit found that risks present on corporate firewalls tested by NTA have risen by almost a fifth (or 17 per cent) since 2000. The report [1] was published last month but a breakdown [2] looking specifically at firewall/VPN problems, published today, sheds fresh light on an important - but neglected - area of security. Almost a third (31 per cent) of companies tested by NTA Monitor as part of its Regular Monitor security testing service during 2002 left their networks wide open to attack by either installing firewall VPNs in their default configuration or by failing to follow best practice security principles. NTA Monitor found that the most common errors related to basic mistakes in firewall management and the configuration of VPN services, the permitted VPNs to be located and profiled. "It is a key security principle to keep your firewall and remote connections hidden from unauthorised users - if a firewall can't be detected then it can't be hacked," said Roy Hills, technical director, NTA Monitor. By polling the services offered on standard proprietary ports an attacker can identify the type of firewall VPN installed and occasionally the version number. Having identified the firewall, a cracker can target it for known exploits or maintain a record of its profile to run against new threats. NTA Monitor advises corporates, where possible, to prevent unauthorised access by keeping firewalls and remote connections hidden to all but authorised IP addresses. It also recommends that corporates avoid allowing access to sequential IP (predictable) address ranges. Last September, NTA Monitor discovered a flaw in CheckPoint's VPN implementation of IKE aggressive mode, enabling unlimited password attempts against accounts for remote VPN clients. In tests performed on corporate sites between the start of February and May 20, NTA Monitor found the vuln present in 58 per cent of sites using this software - more than six months after the flaw was widely reported. "This underlines the fact that corporates are failing to make best practice configuration changes or to apply relevant security patches," Hills concludes. NTA Monitor has issued a Good Practice Guide to securing a firewall/VPN which can be found here [3]. [1] http://www.nta-monitor.com/auditreport/ [2] http://www.nta-monitor.com/vpn/ [3] http://www.nta-monitor.com/vpn/good-practice.htm - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Security researcher accuses Redmond of misleading customers
http://www.smh.com.au/articles/2003/05/30/1054177706964.html By Sam Varghese May 30 2003 Security researcher Marc Maiffret of eEye digital Security has accused Microsoft of misleading customers in its advisory issued on Wednesday about a vulnerability in Windows Media Services. Maiffret said that, contrary to Microsoft's advice, "this... vulnerability is exploitable, as confirmed in the labs at eEye, and by the discoverer of this vulnerability, Brett Moore." He said: "I am not sure why Microsoft misidentified this vulnerability... maybe it is just a typo, maybe its a lack of technical know-how. Either way they need to re-release this advisory so that the correct information is given to customers." Maiffret said there was a a big difference in telling customers 'Ahh, its a denial of service, and your web server will automatically restart' compared to the reality of the situation: 'If you're running Windows Media Services on IIS, attackers can spawn a remote shell 'command prompt' on your vulnerable system.' He said Moore, the researcher from New Zealand who had identified the flaw, would be releasing an advisory soon with more details on the how and why of the matter. Maiffret said he was "not sure how you can have 'Trust'worthy Computing when your misinforming customers on a regular basis or releasing patches that disable their Internet access. " Meanwhile, Microsoft has revised two advisories issued earlier this year. An updated Windows XP Service Pack 1 patch was issued to fix a local elevation of privilege as the original patch had caused some performance issues. Additionally, patches were released for NT 4.0 and XP to fix a vulnerability that would enable an attacker to run code of his or her choice. Earlier, this vulnerability had been said to be present only in Windows 2000. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Lamo Hacks Cingular Claims Site
http://www.wired.com/news/privacy/0,1848,59024,00.html By Christopher Null May. 29, 2003 Cingular can issue insurance to its mobile-phone customers to protect them against loss and damage, but it apparently can't ensure that hackers won't have full access to their personal data. Adrian Lamo, a hacker who in the past has broken into The New York Times and Yahoo, found a gaping security hole in a website run by a company that issues the insurance to Cingular customers. By accessing the site, Lamo said he could have pulled up millions of customer records had he wanted to. He said he discovered the problem this weekend through a random finding in a Sacramento Dumpster, where a Cingular store had discarded records about a customer's insurance claim for a lost phone. By simply typing in a URL listed on the detritus, Lamo was taken to the customer's claim page on a site run by lock\line LLC, which provides the claim management services to Cingular. Normally, this page should have been reachable only by passing through a password-protected gateway, but by simply entering the valid URL, Lamo discovered that individual claims pages could be accessed, no password authentication needed. Each page contained the customer's name, address and phone number, along with details on the insurance claim being made. Altering the claim ID numbers (which were assigned sequentially) in the URL gave Lamo access to the entire history of Cingular claims processed through lock\line, comprising some 2.5 million customer claims dating back to 1998. Lamo said the hack was similar to his discovery of a security hole at Microsoft in October 2001, where the server was configured to assume that if a user could reach a certain URL that was otherwise unpublished on the Internet, that user must be authorized to do so and must already be logged in. As with his other hacks, Lamo said he had no intent of profiting from the exploit, just pointing out a security flaw. Lamo first exposed the problem to Wired News. After this reporter pointed out the flaw, Cingular and lock\line closed the hole by Wednesday morning. Cingular spokesman Tony Carter said lock\line has enabled password protection for the site and has now incorporated "obfuscation techniques" that scramble URLs so that, even in the event of a site compromise, additional records should not be easily accessible. Lock\line spokesman Reed Garrett confirmed the hack. Carter noted that no financial information or social security number data were taken and the information wasn't even available to lock\line. "We screwed up," said Carter. "Our policy is that any time there is a document with customer information on it is to be shredded. They've been trained on this. They just didn't do it. There's no excuse for it." The event highlights the problems of managing vendor relationships when customer information needs to be shared but each company has different processes for handling that information. Carter says Cingular has nearly 40,000 vendors, and staying on top of them all is an "arduous" task, which the company continues to evaluate. Jerry Brady, CTO of security services company Guardent, said incidents like the Cingular episode are not that uncommon. "This usually happens because people whip together quick-and-dirty front ends without much thought to the construction of the data," he said. "You see this all the time, not just in the private sector, but in government systems as well. You just can't expect that outsourcer (to) treat confidential data the same way as the firm. They have no vested interest in worrying about the customer." Lamo noted that outsourcing arrangements continue to yield a treasure trove of weak links in electronic security. Said Lamo, "As companies begin to outsource more and more of their businesses, the line of where security begins and ends gets blurry." He added that in this case, the security was "tremendously bad." The Cingular discovery is the latest in a line of exploits from Lamo. In the past few years, Lamo has found his way into the database containing sources for the The New York Times, has altered news stories on Yahoo and has repeatedly compromised AOL. Companies have contemplated suing him, but security experts have lauded his efforts for pointing out flaws. Lamo, 22, doesn't have a permanent address. He wanders cross-country on foot or by public bus. Spring and summer usually bring him to Northern California. Until recently, he used terminals at Kinko's to perform his hacks. He has graduated to using a Wi-Fi-ready laptop at Starbucks to do his work. For Lamo, there's a bigger issue at stake with the Cingular hack. "If only they had recycled the document instead of throwing it away," he quipped, "this wouldn't have happened." - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Microsoft creates new group to clean its coding act
http://www.nwfusion.com/news/2003/0529microcreat.html By Joris Evers IDG News Service 05/29/03 Microsoft is expanding its security business unit with a group that will establish new software development processes and create tools for its programmers so that future Microsoft products will have fewer security flaws, a Microsoft executive said. "The new Security Engineering Strategy team will look at security across all Microsoft product lines, with the ultimate goal being that customers will take security for granted in Microsoft products," Steve Lipner, the recently named director of Security Engineering Strategy at Microsoft, said in an interview on Wednesday. "My position really is recognition of the fact that there are a lot of security aspects to building and shipping software products at Microsoft and we need to do a more coherent job of looking forward across all the products we ship, trying to address security holes before they are discovered outside of Microsoft," Lipner said. "What we're focusing on is improving our processes for building code that is as good and particularly as secure as we can possibly make it," he said. Lipner previously headed Microsoft's Security Response Center (MSRC), the part of Microsoft that handles security vulnerabilities in products after they have been shipped. Lipner also drove the code-cleaning initiative last year which saw Microsoft take a break from writing code to examine its work for security flaws. The Security Engineering Strategy team will be small, with about 10 security experts who will be recruited from within as well as outside Microsoft, Lipner said. "We will try to get the best people so we can to do a great job on security for our customers," he said. Microsoft, which has faced hefty criticism when it comes to the security and stability of its products, created a business unit focused on security just over a year ago. The unit has been growing steadily since, Lipner said. "Trustworthy Computing and security are key elements of success for the IT industry going forward," he said. Trustworthy Computing is the Microsoft-wide initiative to focus on security launched by Microsoft Chairman and Chief Software Architect Bill Gates in January last year. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Expert: Casinos need to improve online security
Forwarded from: William Knowles <[EMAIL PROTECTED]> http://www.lasvegassun.com/sunbin/stories/gaming/2003/may/29/515145345.html By Liz Benston [EMAIL PROTECTED] LAS VEGAS SUN May 29, 2003 Las Vegas casinos are considered among the most physically secure environments around -- but are far behind in terms of creating computerized security systems that can withstand cyber-attacks from disgruntled customers, corporate spies, ideological opponents and even terrorists, a security expert says. "The potential for a cyber 9-1-1 is high," said Michael Leach, a director of Computer Sciences Corp., an El Segundo, Calif.-based supplier of information security systems. Leach addressed a group of information technology managers and other technology specialists at the Gaming Technology Summit in Henderson on Wednesday. Casinos have retained older back-office technology systems that are increasingly vulnerable to security gaps as newer front-end software systems are added to their floors, Leach said. Companies also are behind in offering online security for gamblers, he added. Properties are increasingly offering slot club loyalty cards and taking other measures to better monitor their customers for marketing purposes. But companies generally don't allow customers to "opt out" of requests to sell or exchange personal information with other companies, he said. Security and privacy standards for customers also are generally absent from gaming regulations nationwide. With the pervasiveness of the Internet in business transactions and the explosion of computerized technology for even the smallest tasks, the casino industry should expect regulators to take a closer look at cyber-security measures, he told attendees. Government agencies and some businesses are migrating toward the use of "smart cards" and in some cases, biometrics to identify and track employees and customers, he said. New technology carries new risk unless companies devise security measures to monitor those systems. That's because hackers can now destroy what once required manual manipulation, such as locking all of the secure doors in a casino, he said. Strict casino regulations have created highly specialized departments that function somewhat independently from one another. Departments must find a way to work more closely together to develop a companywide risk management system that appeases regulators and creates a more seamless security barrier, he said. Meanwhile, executives across many industries have falsely concluded that their security is "good enough" and that terrorism "is not their problem," said Leach, who worked for the DuPont chemical company for more than 34 years. Others that have implemented some kind of companywide risk management system are relying on incorrect assumptions of security, he said. Computer firewalls that keep out viruses can't protect systems from disruptions that could occur from within, such as those initiated by unidentified employees or individuals that are outsourced by a company to perform a certain task. Information that is scrambled, or encrypted for security purposes also can be cracked using high-performance computers, he said. Also at the gaming summit, Pete Fox, general manager of Microsoft Corp.'s Southwest region, said the tech giant aims to work more closely with the gaming industry to create specific products to run their casinos as well as to better service those products. Microsoft doesn't intend to develop gambling software such as that used on remote gambling devices in Europe, however, said Fox, who oversees Microsoft operations across Clark County, Arizona and New Mexico. The company has talked with software development partners about creating technology that could make gambling more convenient, he said. But such systems would eventually come from developers rather than management companies such as Microsoft, he said. Fox declined to comment on regulations governing Internet gambling and other remote betting systems. Some European countries have devised rules on Internet gambling and allow gamblers to bet remotely from casinos using personal computing devices such as cell phones. The U.S. government, which has taken a more stringent approach to Internet gambling, has determined that online wagering is illegal with some exceptions like simulcast wagering on horse races. Meanwhile, a bill that would outlaw financial transactions used to place Internet wagers is pending in Congress. *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==* - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BOD
[ISN] Cyber-Attack Costs Down, Says Survey
http://www.eweek.com/article2/0,3959,1112163,00.asp By Dennis Fisher May 29, 2003 The amount of money that U.S. businesses and other organizations lose to digital attacks has dropped more than 50 percent since 2002, according to the latest survey from the Computer Security Institute and the FBI. And, the percentage of organizations that detected unauthorized use of their systems fell to 56 percent from 60 percent a year earlier. The 2003 survey also shows that companies are still failing to report most of their intrusions and attacks to law enforcement. Only 30 percent of the survey's respondents said they had contacted the authorities after an attack, a drop from 34 percent a year ago. Negative publicity and fear that competitors would use the information to their advantage were the top two reasons organizations cited for failing to talk to law enforcement after an attack. Among the most frequently seen attacks, viruses, laptop misuse and unauthorized access by insiders continued to lead the way, according to the survey. Fully 82 percent of all respondents reported being hit by a virus, which is down somewhat from 85 percent in 2002. But the most surprising result of the survey is clearly the dramatic drop in the estimated financial costs of the reported attacks. The 530 organizations surveyed reported $201.8 million in losses this year; in 2002, 503 respondents lost $455.8 million. The CSI/FBI Computer Crime and Security Survey is conducted annually and surveys security professionals at a variety of U.S. corporations, government agencies, universities and other organizations. This is the eighth year the survey has been conducted. One of the most often cited statistics from the survey is the number of attacks that come from inside an organization versus the number that originate outside the network. Security vendors frequently use these numbers to support whatever claim they're making about the need for the product. In 2003, the trend toward more of the attacks coming from outside the network continued, with 78 percent of respondents saying the Internet is their most frequent point of attack. Only 30 percent cited internal systems as the top attack vector, down from 33 percent last year. Another interesting finding of the survey is the sharp decrease in the number of organizations reporting unauthorized access or misuse of their Web sites. The number fell to 25 percent from 38 percent in 2002. And of the respondents that saw Web incidents, 69 percent reported five or fewer such incidents. Most of the Web-related incidents were simple vandalisms (36 percent) and denial-of-service attacks (35 percent). - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] PHRACK MAGAZINE Call For Papers (#61)
Forwarded from: phrack staff <[EMAIL PROTECTED]> [-]=[-] P H R A C K : R E L O A D E D : CALL FOR PAPERS * CALL FOR PAPERS * CALL FOR PAPERS * CALL FOR PAPERS - Deadline: Friday the 18th of July http://www.phrack.org/cfp_p61.txt - The 61st edition of PHRACK MAGAZINE is going to be released in the beginning of August [1]. Make your mark on the matrix, publish in phrack. Dont bother us with lame articles -- only the elite papers will make it. Papers can be on any topic related to the following: - hacking - phreaking - reverse engineering - cryptography - security - spying - forensics - radio - anarchy - coding - conspiracy - world news As in the last issue, we will showcase selected tools from the hacking community. We call for developers to send in tools that can be used to fight the matrix. PHRACK MAGAZINE is one of the longest running electronic magazines in existence. We taught Trinity how to use nmap [2] and how to code her ssh crc32 exploit [3]. Morpheus believes in our prophecy [4]. Neo cant stop thinking 'it feels more real when I read phrack than when I do not'. Since 1985, PHRACK MAGAZINE has been providing the hacker community with information on operating systems, network technologies and telephony, as well as relaying features of interest for the international computer underground. PHRACK MAGAZINE is made available to the public, as often as possible, free of charge. The staff is throwing in one red pill after another to get the release done on schedule, do your part and submit a paper. PHRACK MAGAZINE -- only for those who know how deep the rabbit hole is. Sincerely, PHRACK MAGAZINE STAFF [EMAIL PROTECTED] [1] An agent told us that there might be a hardcover release. [2] http://www.phrack.org/show.php?p=51&a=11 [3] http://www.phrack.org/show.php?p=49&a=14 [4] http://www.phrack.org/show.php?p=7&a=3 [5] sorry madonna. [-]=[-] - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
Re: [ISN] Exclusive: HP's printer team in espionage drama
Forwarded from: security curmudgeon <[EMAIL PROTECTED]> cc: <[EMAIL PROTECTED]> Anyone else skeptical about this? If not skeptical, see a lot of coincidences that make you say "hr?" : http://www.theregister.com/content/51/30914.html : : By Ashlee Vance in San Francisco : Posted: 28/05/2003 : : Hewlett-Packard's top secret printer labs are under attack from an : audacious rival using the art of deception to gather confidential : information. : : A group of engineers working on HP's next-generation network laser : printer have come under siege from a competitor, The Register has : learned. Employees have received calls at work and at home from faux : members of the HP team, asking for details on a new 9500 series : printer code-named Nozomi. HP has fingered the culprit, we are told, : although the company's identity cannot be released at this time. That's fine, if this is true we'll find out who it was in a Department of Justice press release in a few months to a year. : HP suspects that a competitor has backed the espionage campaign with : close to $1 million in funding. An HP executive flew to Boise to : instruct employees on what to do when the enemy (or the press) calls. : Placards with directions have been placed throughout the well-guarded : labs. Now where did this number come from? A dedicated social engineering attack, even using a dozen people over several months.. you are going to pay them 1 million dollars? What, they get overpriced phones, their own office and car? The reason social engineering attacks are still popular is not only their typical success, but their low cost to implement. It only takes a payphone, disposable cell phone, hotel lobby phone or any other that offers a shred of anonymity. That alone allows you to effeciently launch your attack with minimal costs. When I see "HP Executive" and think to who works at HP, namely Ira Winkler, I also think back to his repetitive dickwaving claims that he could steal "a million dollars" from any company. Wonder if this is just coincidence? Or perhaps Winkler trying to justify his position at HP after recent "disgraces" he brought upon HP at public conferences. : HP has a number of fierce competitors in the printer space, including : Lexmark, Canon, Epson. and new rival Dell. : : Corporate espionage is a somewhat common practice in the IT industry. : Oracle admitted to keeping an eye on Microsoft by hiring a lobby : group, IGI, to buy garbage from pro-Microsoft lobbyists. One example and it's "a somewhat common practice"? I know, short article, can't include several examples. I'm sure if we do some reading, we can come up with several other Corporate Espionage examples. This brings up yet another amazing coincidence. Corporate Espionage What it is, Why it's happening in your company, What you must do about it Ira Winkler ISBN: 0-7615-0840-6 So Winkler identifies what Corporate Espionage is. Why it IS happening in your company (even if it likely isn't?) And what you must do about it (like fly to Boise to educate the people falling victim to the attack). Voila! Justification for your salary. Makes me wonder who is getting social engineered here. Hewlett-Packard or Ashlee Vance/Register? - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Linux Advisory Watch - May 30th 2003
++ | LinuxSecurity.comLinux Advisory Watch | | May 30th, 2003 Volume 4, Number 21a | ++ Editors: Dave WreskiBenjamin Thomas [EMAIL PROTECTED] [EMAIL PROTECTED] Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilitiaes that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for squid, BitchX, netpbm, gPS, heimdal, nessus, lprng, gnupg, up2date, ptrace, apache, cups, and glibc. The distributors include Conectiva, Debian, Gentoo, Mandrake, Red Hat, Slackware, and SuSe. Several of the advisories released are updates to vulnerabilities found last week. There is nothing particularly serious this week, but it is always a advisable to have everything patched before the weekend. Knowing that your servers are up-to-date is a good way to help ensure that you will have an uninterrupted weekend. What else can assure you that operations will run smoothly during time off? There are many pieces to the equation that are important. One of the most significant aspects is using servers that are properly configured and hardened. In addition, proper server administration procedures must be followed. While many intrusions are a result of vulnerable packages, a large number of them can also be attributed to improper software configuration and administration. This burden falls on the administrator. What can be done to reduce the risk of improper software configuration? The easiest way is to look for a pre configured or specialized security distribution. Because I am a long time contributor to EnGarde Secure Linux, I am biased in this recommendation. However, I personally feel that using a distribution such as EnGarde will dramatically improve your organization's security stance with very little time, effort, and money invested. You'll find that with EnGarde, administration becomes easy. I have used it for years and now I find myself becoming lazy when it comes to using other systems. I find myself not wanting to configure anything manually and instead have the WebTool do it for me. Administration has become easy and now it is possible to concentrate on more intellectually stimulating projects. A specialized distribution is ideal for administrators with multiple systems to maintain in a critical environment. More information can be found here: http://www.engardelinux.org If you've only installed Linux and Apache to host your grandmother's knitting Web site, or you are just looking to learn the inter workings of security and administration. I recommend finding a good Linux security book. An interesting book that I recently had the pleasure of reading is titled Linux Security Toolkit, by David Bandel. It covers host security, network security, firewalls & specialized security software, and Linux security auditing. It is easy to read and suitable for administrators wishing to concentrate on security. Like most books published today, it is not suitable for the seasoned administrator. Although the book is well written, it is not full of cutting edge knowledge. If you're looking to learn more about security, I recommend taking a look. It is available used through Amazon.com at a very reasonable price. The book can be purchased here: http://www.amazon.com/exec/obidos/tg/stores/offering/ list/-/0764546902/all/ref=dp_bb_a/002-3699577-0487253 Until next time, Benjamin D. Thomas ## FREE GUIDE-128-bit encryption ## Thawte is one of the few companies that offers 128 bit supercerts. A supercerts will allow you to extend the highest allowed 128 bit encryption to all your clients even if they use browsers that are limited to 40 bit encryption. Download a guide to learn more. http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte19 LINSECURITY.COM FEATURE: Intrusion Detection Systems: An Introduction By: Alberto Gonzalez Intrusion Detection is the process and methodology of inspecting data for malicious, inaccurate or anomalous activity. At the most basic levels there are two forms of Intrusion Detection Systems that you will encounter: Host and Network based. http://www.linuxsecurity.com/feature_stories/feature_story-143.html * Comprehensive SPAM Protection! - Guardian Digital's Secure Mail Suite is unparalleled in security, ease of management, and features. Open source technology constantly adapts to new threats. Email firewall, simplified administration, automatically updated. --> http://guardiandigital.com/cgi-bin/ad_redirect.pl?id=mailnews2 +-+ | Distribution: Conectiva| // +-+ 5/2
Re: [ISN] Lamo Hacks Cingular Claims Site
Forwarded from: Steven Moshlak <[EMAIL PROTECTED]> "Dumpster-Diving" for information is as old ad, well, J Edgar Hoover's boy's used to do it (they busted a spy ring or two), competitors would go through the trash, searching for hardcopy print-out's, not to mention the criminal element, which has made identity theft, which until late, has become a major and prolific problem. The solution is simple; if it is worth securing, it is worth shredding and/or securing your sensitive documentation. This happened in California? So what else is new? -Steve - Original Message - From: "InfoSec News" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, May 30, 2003 1:38 AM Subject: [ISN] Lamo Hacks Cingular Claims Site > http://www.wired.com/news/privacy/0,1848,59024,00.html > > By Christopher Null > May. 29, 2003 > > Cingular can issue insurance to its mobile-phone customers to > protect them against loss and damage, but it apparently can't ensure > that hackers won't have full access to their personal data. > > Adrian Lamo, a hacker who in the past has broken into The New York > Times and Yahoo, found a gaping security hole in a website run by a > company that issues the insurance to Cingular customers. By > accessing the site, Lamo said he could have pulled up millions of > customer records had he wanted to. > > He said he discovered the problem this weekend through a random > finding in a Sacramento Dumpster, where a Cingular store had > discarded records about a customer's insurance claim for a lost > phone. By simply typing in a URL listed on the detritus, Lamo was > taken to the customer's claim page on a site run by lock\line LLC, > which provides the claim management services to Cingular. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] This computer security column is banned in Canada
Forwarded from: Rob Rosenberger <[EMAIL PROTECTED]> This column is banned in Canada http://Vmyths.com/rant.cfm?id=598&page=4 IF YOU LIVE in Canada, you cannot legally read this column. Canadians must click here immediately to leave this website. Do not read further under penalty of Canadian law. Did the Canucks leave? Ah, good. Now I can talk to the rest of you. As you may know, Canada's University of Calgary recently announced they would offer a new "Computer Viruses and Malware" course where drunken undergraduate frat boys will write malicious software. Academic achievement takes on a whole new meaning here: the more malicious your code, the better grade you'll get. Anyone who went to college knows an underpaid, overworked teaching assistant normally supervises all lab assignments. However, the professor of "Malicious Computing 101" insists he will supervise the students during scheduled class times. A student will automatically flunk the course if a virus gets loose and tries to destroy the world (like the ILoveYou virus did in 2000). Frankly, this doesn't make any sense. I mean, shouldn't you get an A+ if you annihilate the Internet during Finals Week? Needless to say, the University of Calgary's announcement stirred up a global media controversy. Lots of experts around the world chimed in with commentary. Even our own Robert Vibert submitted a column. When I heard the University of Calgary would teach undergraduates to write viruses, I asked a simple philosophical question. "Will they let Mike Calce sign up for the course?" Very few people know Mike Calce is the infamous "Mafiaboy" who -- according to legend -- very nearly destroyed e-commerce in February 2000. According to one published report, "RCMP and FBI officials have estimated that Mafiaboy caused $1.7 billion in [global] damage." (Canadian dollars, I'll bet.) Suffice it to say the kid single-handedly terrorized the Internet -- if you believe the media and all of the fearmongers who rode on Mafiaboy's coattails. I won't bore you with the technical aspects of his diabolically ingenious teenage exploits; visit Mafiaboy.com if you need a refresher. Ironically, Canadian news organizations cannot legally identify Calce as Mafiaboy due to juvenile privacy laws. Now you know why this column is banned in Canada. Only in the computer security world can you keep your name out of the newspapers even after you plead guilty to a $1.7 billion crime. Mike Calce is as famously unknown as Murray Langston. Some Canadian newspapers even refused to identify the kid's father, John Calce, after police booked him for conspiring to (physically) assault another man. Tsk, tsk. Only in the computer security world, eh? OKAY, ENOUGH ABOUT the Mafiaboy mystique. Let's get back to my simple philosophical question. Will the University of Calgary let Mike Calce take their virus-writing course if he fulfills all of the normal academic requirements for it? Let's add a twist. As you may know, many politically correct university students sympathized with Al Qaeda in 1989. Will the University of Calgary teach a declared Al Qaeda sympathizer how to write malicious software if he/she meets all normal academic requirements? What if, say, our hypothetical student is a natural-born Canadian with no criminal record? Would the University of Calgary forbid someone to take the course based solely on the student's declared political sympathies? If the university forbids it, would they let the declared Al Qaeda sympathizer sign up for a SCADA Software 101 course instead? Let's face sarcasm/reality here, folks. If one self-taught Canadian high school student could single-handedly almost destroy e-commerce, just imagine what a horde of sheepskin Canadians could do! If the University of Calgary lets anybody attend their virus-writing course, then we may someday find ourselves facing a horde of Canadian 21st century glue-sniffing cybersluts with homicidal minds and handheld PDAs. A horde of Canadians led, perhaps, by none other than Mike Calce, aka Mafiaboy. I'd expect nothing less from a nation where (a) you can teach students to write malicious software but (b) you can't legally identity a convicted billion-dollar cyber-terrorist... - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Code team cracked Soviet's ciphers
http://portal.telegraph.co.uk/news/main.jhtml?xml=/news/2003/06/02/ncode02.xml By Neil Tweedie (Filed: 02/06/2003) [ http://www.amazon.com/exec/obidos/ASIN/1842750046/c4iorg - WK] The codebreakers of Bletchley Park not only broke into the secrets of the German Enigma machine, but also succeeded in cracking the main Russian machine ciphers. The success of British cryptanalysts during the Second World War in cracking the German machine is well known, but their work on Soviet machines has remained secret. Now, for the first time, details of GCHQ's early Cold War successes against the Soviet Union are revealed in The Spying Game, by Michael Smith. He describes how one of the most precious secrets of the early Cold War was betrayed to the Soviet Union by an American spy. Smith says the British codebreakers agreed to work with the Americans on Soviet codes and ciphers. By September 1946, the academics turned codebreakers were sending the Americans material produced from a Russian enciphered teleprinter system they had codenamed Caviar. But their best successes came after a move from Bletchley Park to Eastcote, Middlesex, when they broke main Soviet military machine ciphers known as the Poets series. This followed GCHQ's breaking of the first Poet system in early 1946. Called Coleridge, it was used by the Soviet army, navy and air force on main communications networks in the USSR. Coleridge gave the Western allies an insight into Soviet military strength, capability and dispositions. The information was second only to Soviet atomic secrets on the British intelligence wish list. But on October 29 1948 - later known as Black Friday - Warsaw Pact codes, ciphers, and communications procedures were changed. The codebreakers' secret had been handed to the Russians by William W Weisband, their agent in the US army. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Challenge yourself to get rid of insecure software.
+--+ | Linux Security: Tips, Tricks, and Hackery | | Published by Onsight, Inc. | | | | 02-June-2003| | http://www.hackinglinuxexposed.com/articles/20030602.html | +--+ This issue sponsored by Gibraltar Software, Inc., your best source for Secure Patch Management. With Gibraltar Software's flagship security product, the Everguard (tm) System, sysadmins can now run one tool to keep a network of Linux, Windows, and Solaris machines completely patched and up-to-date. Everguard 2.0 features remote deployment capabilities, automated software discovery and tracking, centralized management, a variety of reporting tools, and rated priority to patches. Everguard 2.0 is the most secure cross-platform patch management system available today. For more information, visit our website at http://www.dvpm.com/ Challenge yourself to get rid of insecure software. By Brian Hatch Summary: System setups that are known to be buggy can persist for far too long unless you force yourself to take the time to revisit them periodically. I'm on a lot of mailing lists, including one for my local LUG (Linux user's group) and tend to respond to a lot of questions from complete strangers.[1] For some reason it seems that in the last few weeks I've fielded an increased number of emails that I don't want to help out on, for example 1. "I can't get telnet to my machine - how can I disable the firewall?" 2. "I can telnet fine, but not as root, I need to su. How can I let root log in from the network directly over telnet?" 3. "I'm trying to change the password for a user, but it only let's me choose passwords that are longer than 4 characters, what's wrong?" Each time I hear questions like this I take a deep breath. I know the answers.[2] The problem is that they want to do things to which I personally object, things that decrease the security of their systems. People like to use the tools they're familiar with. Retraining people to do things in a new (more secure) way is very difficult. For instance when I took over a cluster of SGIs years ago I installed SSH across the board, but needed to leave telnet enabled for the PC users who needed to be able to log in.[3] However even those with Unix boxen on their desk, on which ssh was installed, didn't want to use SSH. I'd even set up users with passwordless logins and host-based trust across the machines. I noted the savings of three characters in "ssh" vs "telnet". Nothing worked until I replaced /usr/bin/telnet with a shell script that looked something like this: #!/bin/sh quit () { echo "glad you came to your senses." exit 0; } # If user specifies a port or no host at all, run real telnet binary. # Yes, this lets them type 'telnet host 23' - oh well. if [ $# -gt 1 ] ; then exec /usr/bin/telnet.real "$@" elif [ $# -eq 0 ] ; then exec /usr/bin/telnet.real fi # See if SSH is available on the target. If not, # then invoke telnet. (nc -z can be used as a poor man's port scan.) if ! `nc -z $1 22>/dev/null 2>&1` ; then echo running telnet - ssh not running exec /usr/bin/telnet.real "$@" fi # OK, they're using 'telnet hostname' to a machine that's running SSH. # # Forcibly instigate "worker retraining". echo "Are you sure you'd like to use telnet?" echo "We've installed SSH on this machine, which is much better." echo -n "use telnet anyway? (yes/n) " read a if [ "x$a" != "xyes" ] ; then quit fi echo "Are you *really* sure you'd like to use telnet?" echo "SSH will encrypt your sessions. That's good..." echo -n "Should I stop and let you ssh? (nothanks/y) " read a if [ "x$a" != "xnothanks" ] ; then quit fi ... # About three more yes/no questions, alternating the # response they must provide to make it harder. ... # give up, let them use telnet if they're so darned sure... exec /usr/bin/telnet.real "$@" Everyone had become set in their ways. They were used to telnet, and even though a more secure, robust, and in this case even easier method was available, they wanted to stick to the old system. Unfortunately, inertia is very common in any organisation. You need to be sure to periodically question the methods your organisation uses to do it's business. Any time you put functionality in place that isn't the most secure thing in the world, make sure to revisit it in three months time to see if there's a better way to do it later.[4] For example, say your software push system requires that the software push account on the distribution
[ISN] North Korea's School for Hackers
Forwarded from: William Knowles <[EMAIL PROTECTED]> http://www.wired.com/news/politics/0,1283,59043,00.html By Brian McWilliams June 02, 2003 In North Korea's mountainous Hyungsan region, a military academy specializing in electronic warfare has been churning out 100 cybersoldiers every year for nearly two decades. Graduates of the elite hacking program at Mirim College are skilled in everything from writing computer viruses to penetrating network defenses and programming weapon guidance systems. Or so South Korea's government would have the world believe. Since at least 1994, military and intelligence officials in Seoul have warned of the growing threat posed by the "infowar" academy to the north, which they say was founded in the 1980s and is also known as the Automated Warfare Institute. Most recently, South Korea's Defense Security Command raised the specter of Mirim at a cybersecurity seminar in mid-May, where a South Korean general noted that North Korea is "reinforcing its cyberterror capabilities." Yet Pentagon and State Department officials say they are unable to confirm South Korea's claims that Mirim or any other North Korean hacker academy even exists. And some U.S. defense experts accuse South Korea of hyping the cyber threat posed by its northern neighbor, which they claim is incapable of seriously disrupting the U.S. military. "The KPA (Korean People's Army) is still predominantly an analog and vacuum-tube force," said Alexandre Mansourov, a professor at the Pentagon's Asia-Pacific Center for Security Studies. "We tend to overestimate the level of information-technology expertise in the North Korean military, and South Korea is especially guilty of this." Representatives of South Korea's National Intelligence Service, as well as its Institute for Defense Analyses and Information Security Agency, did not respond to requests for more information about Mirim College or North Korea's information warfare capability. Outside North Korea little is known about secretive Pyongyang's current infowar prowess, according to John Pike, president of GlobalSecurity.org, which maintains an online guide to North Korea's military. But Pike said the militaristic nation, which spends much of its gross national product on defense, undoubtedly is working to digitize its military. "It's not the sort of thing that a spy satellite is going to pick up," said Pike. "But even if the DPRK (Democratic People's Republic of Korea) can't feed its own people, it's quite capable of developing and using the full spectrum of modern weaponry, including cyber." Indeed, the regime in North Korea would be grossly negligent if it failed to beef up its information warfare capability, according to Mansourov. Its adversary South Korea, one of the most wired nations in the world, makes no secret that preparing for infowar is a top military priority, he said. In its 2000 annual report, South Korea's Ministry of National Defense said a 5 percent budget increase was allocated mainly for projects such as "the buildup of the core capability needed for coping with advanced scientific and information warfare." The report also revealed that South Korea's military has 177 "computer training facilities" and had trained more than 200,000 "information technicians." Meanwhile, in North Korea the lack of basic necessities, such as a reliable electrical grid, presents huge obstacles to creating an information-technology infrastructure, according to Peter Hayes, executive director of the Nautilus Institute, which published a recent study of North Korea's IT aspirations. Trade sanctions -- not to mention North Korea's guiding philosophy of "juche," or self-reliance -- have further isolated the DPRK from the Internet and many technological advances, said Hayes. As a result, North Korea has been assigned only two "class C" blocks of Internet addresses, none of which currently appear active, according to data from the American Registry for Internet Numbers and Asia Pacific Network Information Centre. The DPRK's limited connection to the Internet reportedly comes from satellite links provided by a company in South Korea, and by land lines from China. Similarly, North Korea's designated top-level domain, .kp, never has been implemented. The nation has only a handful of websites -- the most sophisticated being an online gambling site -- none of which are hosted in North Korea. Servers in China and Japan host the sites. While Net surfing is available only to a privileged few of the 22 million North Koreans, leader Kim Jong Il is said to be a big fan of information technology. The dictator surprised many when he asked Secretary of State Madeleine Albright for her e-mail address during a historic visit in 2000. Yet, despite being mostly disconnected from the Internet, North Korea reportedly has developed a vast intranet linking government offices throughout the c
[ISN] IRS rife with security weaknesses
http://www.fcw.com/fcw/articles/2003/0602/web-irs-06-02-03.asp By Diane Frank June 2, 2003 Critical information security weaknesses at the Internal Revenue Service demonstrate the importance of moving past the development of an information security program to actually implement the measures outlined in the plan. The General Accounting Office found almost 900 weaknesses across the 11 IRS organizations included in its review, particularly in the areas of access and authorization. All of the weaknesses can be traced to IRS' incomplete implementation of its agencywide security program, according to the report dated May 30. The IRS has made progress toward addressing security, including developing a milestone-based plan to fix vulnerabilities -- a step required by the Office of Management and Budget under the Government Information Security Reform Act of 2000 and continued under the Federal Information Security Management Act of 2002. The tax agency also has increased the number of resources and people devoted to information security and created an around-the-clock incident response team. But the many weaknesses that still exist and the lack of an agencywide process to identify and address future vulnerabilities leave sensitive personal data open to unauthorized users. "Such individuals could possibly obtain personal taxpayer information and use it to commit financial crimes in the taxpayer's name (identity fraud), such as establishing credit and incurring debt," the report states. Beyond the need to meet all of the standard requirements, such as performing risk assessments and certifying and accrediting systems, GAO also strongly recommended incorporating accountability for security controls into employee performance appraisals. "Until such performance standards and measures are developed and incorporated into the appraisal process, agency personnel may not devote sufficient attention and effort to implementing effective security controls," the report states. In a written response to GAO, new IRS Commissioner Mark Everson said that his agency plans to address each of the report's recommendations this year, although incorporating security into performance appraisals will have to wait until fiscal 2004 because of legal constraints. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Clancy Urges CIOs: Seek Out the 'Smart People'
http://www.eweek.com/article2/0,3959,1114813,00.asp By Dennis Fisher June 2, 2003 WASHINGTON - In a rambling and somewhat odd keynote speech at the Gartner IT Security Expo here Monday, author Tom Clancy urged the assembled security specialists and CIOs in the audience to seek out experts in other fields and apply their knowledge to the IT world. "The world is full of smart people, and when you find out what some of them are doing, you get smarter," Clancy said. "Everyone knows at least one thing you can learn from them. So go learn." Asked where he gets the information on the gadgets and technologies that populate his novels, Clancy said that it's all out in the open, and it's simply a matter of legwork and research. In the age of information, when virtually anything you want to know is a few clicks away, Clancy said there is no excuse for not finding what you need to do your job better. "There are no secrets in the world. The only hard part is finding the right person to ask," he said. "If you have a phone, you can find out anything you want in under 60 minutes. With the Internet, it's even faster." The idea, Clancy said, is to not limit yourself to one subject, to broaden the scope of your intellectual activity. "Fortune favors the prepared mind, as Louis Pasteur said. The best guys are the ones who can cross disciplines," Clancy said. "The smartest ones look at other fields and apply them to their own." As Clancy veered from subject to subject - touching on issues as diverse as Bill Clinton, baseball, the charm of Macs, and the relative levels of corruption in Washington and Hollywood- the Gartner analysts tasked to moderate his talk tried to steer him back to technology topics. But they had little luck. In what amounted to more of a collection of one-liners and anecdotes than a speech, Clancy revealed himself to be a master name-dropper and a man who is perpetually unhappy with the people on Capitol Hill. After relating an anecdote about a congressman who dismissed an expert's objections to a particular technology by saying, "Don't give that laws of physics stuff," Clancy had this to say: "They don't have an intelligence test for members of Congress. But I guess that's kind of obvious." After his monologue, two Gartner analysts came on stage and asked Clancy to sit down with them for a discussion. "I have to sit down, huh? I'll be on the extreme right," Clancy quipped. Among Clancy's other verbal gems: * "The one nice thing about being rich and famous is you get to meet all kinds of interesting people. Actually, you meet all sorts of idiots too, but you discard them." * "An extremist is someone who doesn't agree with you and does so loudly." * "The president of the United States wanted to do away with Fidel Castro, and he asked the CIA to do it. They of course failed because they hired the Mafia to do it, and Castro wouldn't sit in the front seat." * "That's why I'm a Mac driver: You don't have to know anything about computers." - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
RE: [ISN] This computer security column is banned in Canada
Forwarded from: Steve Manzuik <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] I am not associated with, nor do I speak for the University of Calgary. > This column is banned in Canada > http://Vmyths.com/rant.cfm?id=598&page=4 I am a Canadian, living in Calgary -- and I got this article. Does that mean I am in some sort of trouble? > Academic achievement takes on a whole new meaning here: the more > malicious your code, the better grade you'll get. That is hardly the case. More like, the better your understanding of malicious code and malware the better grade you will get. > Anyone who went to college knows an underpaid, overworked teaching > assistant normally supervises all lab assignments. However, the > professor of "Malicious Computing 101" insists he will supervise the > students during scheduled class times. A student will automatically > flunk the course if a virus gets loose and tries to destroy the > world (like the ILoveYou virus did in 2000). It is my understanding from talking to the University that the hands on portion of the course will be conducted in a lab environment that is closely controlled. In fact, it was my understanding that the lab is not even connected to the Internet. Obviously this doesn't completely prevent malicious code from leaving but it will at least prevent accidents. > Frankly, this doesn't make any sense. I mean, shouldn't you get an > A+ if you annihilate the Internet during Finals Week? Come on Rob, as a FUD buster yourself you should know better than to make statements like this. Besides, who said the annihilation of the Internet would be a bad thing? > infamous "Mafiaboy" who -- according to legend -- very nearly > destroyed e-commerce in February 2000. So lets get this straight. You, Mr. Rosenberger have made a career of exposing FUD. You have taken FUDsters like Russ Cooper to task and for that most of us applaud you. But then I read your multiple articles on vmyths.com about the UofC course on Malware and have to wonder why you yourself would result to quoting clear FUD just to make your point. > According to one published report, "RCMP and FBI officials have > estimated that Mafiaboy caused $1.7 billion in [global] damage." > (Canadian dollars, I'll bet.) You know as well as I and everyone else does that this number is grossly exaggerated. Corporate America (and Canada for that matter) needs to blame something for their years of mismanagement and loss of stockholder value. So why not some punk kid from Eastern Canada. > Suffice it to say the kid single-handedly terrorized the Internet -- > if you believe the media and all of the fearmongers who rode on > Mafiaboy's coattails. I won't bore you with the technical aspects > of his diabolically ingenious teenage exploits; visit Mafiaboy.com > if you need a refresher. Mafiaboy was nothing more than a patsy. He ran a tool, that he didn't even write, and that he didn't even understand. His so called rein of terror was nothing more than an accident performed by some stupid kid who obviously was lacking parental guidance. > Only in the computer security world can you keep your name out of > the newspapers even after you plead guilty to a $1.7 billion crime. > Mike Calce is as famously unknown as Murray Langston. Actually, only in Canada. You can thank our broken Young Offenders Act for that. > OKAY, ENOUGH ABOUT the Mafiaboy mystique. Let's get back to my > simple philosophical question. Will the University of Calgary let > Mike Calce take their virus-writing course if he fulfills all of the > normal academic requirements for it? Sure, why not -- but something tells me that this clown wouldn't make the cut. Or he can be refused for ethical reasons -- which would more than likely be the case. > the University of Calgary teach a declared Al Qaeda sympathizer how > to write malicious software if he/she meets all normal academic > requirements? What if, say, our hypothetical student is a > natural-born Canadian with no criminal record? Would the University > of Calgary forbid someone to take the course based solely on the > student's declared political sympathies? Why should they? If they are in good academic standing then there is no reason that they should be kept from taking this course. If you seriously think that the malicious people of the world need a University course on malware to learn how to do this stuff then you are sadly mistaken. Lets take your lunacy a step further. We all know that terrorists like to use car bombs right? So shouldn't we be careful of whom we issue drivers licenses too? I mean how can you let those "other races" get a drivers licenses as it could lead to the physical destruction of lives. This is stupid and is security through obscurity. > If the university forbids it, would they let the declared Al Qaeda > sympathizer sign up for a SCADA Software 101 course instead? You don't need a course to hack the hundreds of insecure SCADA systems in
[ISN] Microsoft renews security vows
http://news.com.com/2100-1012_3-1012689.html By Martin LaMonica Staff Writer, CNET News.com June 3, 2003 DALLAS -- Microsoft has opened up its drive to improve software security with a redesigned software patch management system and a partnership with VeriSign to authenticate Web services. The company pledged Tuesday to improve its system for sending out security fixes, or patches, to existing products. Ninety-five percent of attacks happen after a patch for a known software vulnerability has been issued, said Scott Charney, chief trustworthy computing strategist at Microsoft, during a keynote speech at the software maker's TechEd conference here. By the end of the year, the company intends to consolidate from eight to two the number of ways that patches are distributed to customers. One of the two new systems will address changes to the Windows operating system, while the other will apply to Microsoft's business applications. Eventually, Microsoft will consolidate its patch management into a single tool that can work across all the company's products, Charney said. In addition, Microsoft plans to ensure that Windows fixes add themselves automatically to the operating system's internal registry, rather than to different parts of the system. By introducing consistency and by making sure all patches register as present within the software, there's a better chance that fixes will be implemented correctly, the company expects. Improved patch installation is one facet of Microsoft's "Trustworthy Computing" initiative, which debuted last year. As part of that initiative, the company delayed shipment of several high-profile products, including its Windows Server 2003 operating system and Visual Studio.Net development tools, in order to perform audits and code reviews, according to the company. Charney said that the secure computing effort is ongoing. "We are now doing security audits on all our products as part of development. We have to do that, because the bad guys will innovate just like we do." As expected, Microsoft also detailed Tuesday a partnership with VeriSign, which will allow customers to use the Mountain View, Calif.-based security company's digital certificate service to authenticate a person's identity over a network of servers running Windows Server 2003. The service, which should also work over Wi-Fi wireless networks, is set to become available by the end of 2003, according to the allies. Also at TechEd, Microsoft launched two training and certificate programs specially tailored to security concerns in an effort to reduce vulnerabilities that arise from poor application configuration. Both programs are extensions to the Redmond, Wash.-based software maker's certified credentials for systems administrators and engineers that address the design of secure networks. One of the exams is administered by the Computing Technology Industry Association (CompTIA), a computer industry trade organization. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] OpenBSD Gets Harder to Crack
http://www.eweek.com/article2/0,3959,894,00.asp By Timothy Dyck June 2, 2003 On the security field, nothing is quite as revealingor as taxingas the passage of time. By that measure in particular, the OpenBSD development team's OpenBSD operating system stands out. The latest OpenBSD 3.3 release, which started shipping early last month, arrives with even stronger attack defenses coupled with an amazing record of just a single remotely exploitable vulnerability in more than seven years, the best security track record for any general-purpose operating system around. eWEEK Labs has used past versions of OpenBSD for a number of years in our lab for network firewalls as well as in OpenHack security tests and have come to trust the product's rock-solid reliability and secure-out-of-the-box configuration. It's free to download or $40 for a CD version. This release improves the package's already-powerful network filtering features with the addition of bandwidth preallocation, selective traffic prioritization and load balancing. For network firewall or router deployments, OpenBSD provides a secure, easy-to-configure option, while still supporting the deployment of general-purpose network server applications such as The Apache Software Foundation's HTTP Server or Internet Software Consortium's BIND (Berkeley Internet Name Domain) name server. (Apache 1.3.27 and BIND 9.2.2 are installed on OpenBSD 3.3 by default.) Although OpenBSD has a generous set of prebuilt software packages available for it (installing KDE, or K Desktop Environment, 3.1 was very straightforward), it is not well-supported by commercial server software vendors the way Linux, Windows or Solaris is. It also doesn't support more than one CPU per server. Keeping an OpenBSD system up-to-date is also very demanding for system administrators. Configuration files in /etc need to be manually migrated during version upgrades (which ship every six months), and security patches are released only in source code form. A binary patch distribution tool would make it much easier to deploy OpenBSD systems in larger numbers. Overflow Attack Protection OpenBSD 3.3 enables by default ProPolice, an application buffer overflow protection mechanism developed by IBM Research. To get this protection, users need to compile applications with the ProPolice-equipped GNU Compiler Collection compiler that comes with OpenBSD or use just the already-protected applications that ship with OpenBSD. OpenBSD 3.3 adds page-level memory permissions (on SPARC, Alpha and PA-RISC CPUs) that mark each memory page as either writable or executable (but not both at once), to make it harder for an attacker to write attack code into a memory location and execute it. Unfortunately, this feature isn't provided on x86 or PowerPC chips yet, although it's planned for the OpenBSD 3.4 release. The OpenBSD project has made a decision against trusted-operating-system-style mandatory access controls that place kernel-enforced limits on what particular processes or users can do. "People who use such things build systems which cannot be administered later," said Theo de Raadt, OpenBSD project leader, in Calgary, Alberta. "I am holding the fort against such complexity." However, while mandatory access controls do make systems harder to administer, we've found the approach a very powerful defense in tests and would welcome the option to use these techniques with OpenBSD. OpenBSD's excellent packet filter, pf, is a big attraction of the platform because it provides such comprehensive firewall features coupled with a concise yet simple configuration file format. This release updates pf with traffic-shaping features that let administrators devote a set amount of bandwidth or a relative percentage of bandwidth to particular types of traffic or particular users. It also lets administrators prioritize selected types of traffic. West Coast Technical Director Timothy Dyck is at [EMAIL PROTECTED] - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Microsoft to introduce security certifications
http://www.computerworld.com/securitytopics/security/story/0,10801,81715,00.html [From The Unknown Security Person... don't people who certify .. need to be experts themselves?] By CAROL SLIWA JUNE 02, 2003 Computerworld Microsoft Corp. tomorrow will announce its first set of certification credentials for IT administrators and engineers who specialize in security in a Windows environment. Dan Truax, director of business and product strategy for training and certification at Microsoft, noted that the company has offered security courses for years. But he said Microsoft decided to take the extra step of creating a formal credential in recognition of the number of customers that now specialize in that type of job. The announcement of the new certifications is scheduled to be made during a keynote address by Scott Charney, Microsoft's chief security strategist, at the company's TechEd 2003 conference in Dallas. The more rigorous of the two certifications being introduced is the Microsoft Certified Systems Engineer (MCSE): Security on Microsoft Windows 2000. To achieve that status, an engineer must pass six core exams and demonstrate a "security specialty" by taking a test on Microsoft Internet Security and Acceleration (ISA) Server 2000 or an exam administered by the Computing Technology Industry Association, better known as CompTIA. The requirements are essentially the same as for an ordinary MCSE certification, except the security candidate has to take the core security design exam and a security implementation exam that Microsoft introduced in January, along with the ISA Server or CompTIA exam. The other new certification - Microsoft Certified Systems Administrator (MCSA): Security on Microsoft Windows 2000 - requires the four exams needed for a typical MCSA certification, plus one additional exam. One core exam on the client operating system and two on networking systems are mandated along with the security implementation exam and either the ISA Server or CompTIA exam. Certifications aren't yet available for Windows Server 2003, but they're expected to become available later this year, according to Truax. Truax said Microsoft was first approached last summer about creating a special security credential. Customers and partners subsequently advised the company not to create credentials similar to any that already exist in the industry, but rather to focus on offering a certification specific to the Microsoft software environment, he said. "Our goal was to complement what exists in the industry, not to compete with it," Truax said. How important the new certifications will be to IT shops is unclear. Charles Emery, senior vice president and CIO at Horizon Blue Cross Blue Shield of New Jersey in Newark, said he views the new Microsoft programs as positive for the industry. But he also noted that Horizon Blue Cross Blue Shield doesn't use certifications as hiring criteria, because it has often found that certification holders have no practical experience. Mike Lines, an Indianapolis-based manager of technical integration at Bell Industries Tech.logix Group, said that as a provider of outsourced IT services, his company requires all of its engineers to carry the MCSE credential. Lines said he definitely will have a couple of engineers take the new security certification exams. But one certified Microsoft trainer, who asked not to be identified, said it's difficult for any vendor to develop a security curriculum for its own products. He said third parties, such as the SANS Institute, tend to take a more critical and thorough approach. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Defense Department Issues Open Source Policy
http://www.internetnews.com/dev-news/article.php/2216311 By Thor Olavsrud June 3, 2003 The U.S. Department of Defense (DoD) last week distributed a memo putting open source software on a level playing field with proprietary software when it comes to use within the department, though the memo also warned that those using open source software (OSS) must comply with "lawful licensing requirements" and be aware of what those licenses entail. The DoD is a user of both open source and proprietary software, ranging from Linux and BSD on the open end, to Unices and Windows on the proprietary end. The memo eases fears that the military might ban use of the GNU General Public License (GPL). Providing a description of open source licenses and licensing requirements, including a specific focus on the GPL, the memo, written by John Stenbit, chief information officer and assistant secretary for Command, Control, Communications and Intelligence Defense Department, noted, "The Linux operating system is an example of an operating system used in DoD that is licensed under the GPL." Stenbit also used the memo to remind recipients that any "DoD Components" who acquire, use or develop OSS must make sure that the software complies with the same DoD policies governing Commercial Off the Shelf (COTS) and Government Off the Shelf (GOTS) software. "This includes, but is not limited to, the requirements that all information assurance (IA) or IA-enabled IT hardware, firmware and software components or products incorporated into DoD information systems, whether acquired or originated within DoD: 1. Comply with the evaluation and validation requirements of National Security Telecommunications and Information Systems Security Policy Number 11, and; 2. be configured in accordance with DoD-approved security configuration guidelines available at http://iase.disa.mil/ and http://www.nsa.gov/."; Stenbit also urged anyone considering OSS within DoD to understand the ramifications of its use. "DoD Components acquiring, using or developing OSS must comply with all lawful licensing requirements," he said. "As licensing provisions may be complex, the DoD Components are strongly encouraged to consult their legal counsel to ensure that the legal implications of the particular license are fully understood." Open source licenses often require modifiers and distributors of the code to make their source code available, publish a copyright notice, place a disclaimer of warranty on distributed copies and give recipients of the program a copy of the license. The GPL, which governs the Linux open source operating platform, is a particularly strict open source license which requires anyone that distributes code they have modified to make the source code available when distributing the original binary code or derivatives. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
RE: [ISN] This computer security column is banned in Canada
Forwarded from: Rob Rosenberger <[EMAIL PROTECTED]> Cc: Steve Manzuik <[EMAIL PROTECTED]> >>Lets take your lunacy a step further. >> >>This is stupid and is security through obscurity. Steve, you should focus your "stupid/lunacy" complaints on senator Charles Schumer (D-NY). He fears U.Calgary will turn into a "digital training ground for future cyber-terrorists." You can listen to him (in context!) at http://Vmyths.com/mm/humor/psa/schumer.mp3 if you don't believe me. Schumer's audio comes from a February 2002 senate hearing where White House flunky Richard Clarke reserved the right to NUKE China if they invade the U.S. with a computer virus. I agree wholeheartedly with you, Steve. From my follow-up column: http://Vmyths.com/rant.cfm?id=599&page=4 "I'll extract my tongue from my own cheek so we can clear the air... You'll find a big difference between me and people like senator Schumer. He'll mean it if he declares Canada a cyber-threat. He'll want you to fear the wrath of Calgary's student body. He'll demand FBI background checks for computer science teachers & students." Rob - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Police probe girl's claims
http://www.newsobserver.com/front/story/2579239p-2393565c.html also: http://indyweek.com/durham/current/triangles.html By ANNE BLYTHE Staff Writer May 31, 2003 CHAPEL HILL -- Police Chief Gregg Jarvies put three officers on administrative leave with pay pending the outcome of an investigation into a Chapel Hill High School student's allegations that two of the investigators misrepresented themselves as members of an FBI Cyber Crime Task Force. Two senior administrators in the department have been assigned to find out what happened May 2, when Erin Carter, 17, a junior at Chapel Hill High, was pulled out of an afternoon assembly and told to report to the principal's office. Until that report is complete, Chapel Hill officers Steve Anson, John W. Moore and Bryan Walker will be on administrative leave. "I'm concerned about the allegations, and that's what they are now is allegations," Jarvies said. "That's the reason for the change in job status." The incident began, according to school and police officials, when problems surfaced with the computer network at Chapel Hill High and administrators suspected hacking had occurred. After she was pulled out of the assembly, Carter was greeted in the office by Principal Mary Ann Hardebeck and two men attired in Navy blue golf shirts with what looked to be yellow FBI logos. The men, Moore and Walker, were Chapel Hill police officers who had gone to the school to investigate why approved personnel had been having difficulties logging on to the network. It's still not known what caused the computer problems. But school technicians continue to look into the incident. IT unit in planning Moore, Walker and Anson, a Chapel Hill officer who is assigned to work nearly four days each week in Raleigh with the FBI Cyber Crime Task Force, are the department's go-to guys when a computer crime is suspected. But neither Moore, an investigator with the Chapel Hill force for nearly 11 years, nor Walker, a Chapel Hill officer for more than 12 years, is officially part of the federal cyber crime task force. "In late summer or early fall, we're going to establish an IT [information technology] unit," Jarvies said. "As a part of that, they're receiving training with the FBI." Although neither is a federal officer, Moore and Walker presented themselves as members of the federal task force, according to Carter and Hardebeck. Moore even gave the student a business card that has FBI in big blue letters at the top, then Cyber Crime Task Force below it, then his name with the words "task force agent" just below. Carter, disturbed by the questioning, laminated the card as a keepsake. "It is not a card that we have issued or something the FBI would issue," Jarvies said. 'Not very nice' The officers wanted to know more about Carter's Web log, or "blog" as she calls the journal and sounding board. They had stacks of printouts from her site and questioned her about the content she had posted. "They thought I knew more than I was telling," Carter said. "It was really weird and not very nice. They were like, 'Well, you might hear from us again, you might not.' " Hardebeck, who was in the room during the questioning, said she thought the police officers gave the impression that they were working with the FBI. "I'm not sure they used the particular words that they were FBI agents, but they gave that impression," Hardebeck said. "It was an unusual experience." Staff writer Anne Blythe can be reached at 932-8741 or [EMAIL PROTECTED] - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Article: Patch Management Isn't The Only Needed Change
Forwarded from: Richard Forno <[EMAIL PROTECTED]> Patch Management Isn't The Only Needed Change Richard Forno [EMAIL PROTECTED] ©2003 Richard Forno. Permission granted to reproduce and distribute in entirety with credit to author. Last week Microsoft announced plans to revise the process it uses to provide patches that fix problems with its software. While IT executives around the world may be swooning in gratitude at this latest demonstration of 'Trustworthy Computing' in action, those in the real world of IT, such as system administrators, network engineers, and security staff - in other words, the "doers with a clue" - have little to rejoice about with this latest news from Redmond. By now, anyone with a Windows computer knows that hardly a week passes without a software patch/hotfix/update issued by Microsoft to fix a problem in its products. For security professionals and system administrators alike, the number of alerts and advisories pertaining to a new Microsoft software problem showing up in our e-mail inboxes almost matches the number of e-mail offers for miracle drugs promising to increase the size of certain body parts overnight. I've never been a big fan of Microsoft's product update process. In fact, there are times when I believe it's better not to install a Microsoft patch, since applying a patch for one problem tends to create numerous new ones - an ongoing cycle that I've dubbed the Redmondian Law of Unintended (But Accept It Anyway) Consequences. Anyone who suffered through the Windows NT Service Pack fiasco over the years knows what I'm talking about, especially since it's difficult, if not impossible, to remove a patch or service pack (or fully trust it's been removed) without a complete re-install of the operating system. As a result, Windows users must hedge their bets: do they install a patch to fix today's problem now but risk creating newer ones costing additional time and labor to fix tomorrow? Or should they forgo the patch and, as US Homeland Security Circus-Master Tom Ridge says, "stay alert for suspicious [system] activity but go about their normal [computing] activities?" Certainly, all operating systems require patches now and then. But the key difference is that the user's level of trust in such patches is made easier when they have access to the system internals and can see what's being affected by the patch. The closed nature of some operating systems means that users (especially home users without dedicated test equipment) must base their "trust" in the patch on how it behaves after installation, instead of beforehand. In other words, roll the dice and pray for the best. Understandably, those charged with Windows system administration face an endless barrage of vendor alerts and are challenged with not only implementing the fixes they deem necessary but responding to the unforeseen problems such fixes may create once deployed. It's truly a Catch-22 situation. And, while it's easy to blame system administrators for allegedly being complacent in their duties - and some certainly are, no doubt - I believe the majority of blame and responsibility falls on Microsoft's own practices. If Microsoft really wants to improve its product security, and provide a demonstrable example of truly 'Trustworthy' computing, it needs to stop perpetuating the illusion of its commitment to security and do something truly effective toward that noble and much needed goal. As such, I humbly offer a few suggestions: First, Microsoft needs to ensure that its product updates - hotfixes, patches, and service packs - do not break existing system installations when applied. This includes preventing updates from modifying network (or application) settings, network shares, and other software (or software dependencies) on the system, whether from Microsoft or a third party. If such breakage is truly unavoidable, it must be disclosed in the README.TXT file or other easily-located, hard-to-ignore (or overlook) place. Further, installing or updating applications should not modify parts of the operating system, user settings, or data. For example, if a user does not want Visual Basic Scripting (VBS) support when installing Microsoft Office, VBS should not mysteriously appear on his system after installing anything else from Microsoft in the future. The user, not Microsoft, must be the sole authority for determining what will (or will not) be installed on his computer, and how such systems - and applications - are configured. Second, any - and I mean any - patches or product updates must be removable. If the user finds a problem created by a newly-applied update, he must be confident that he can "roll back" the system to its pre-patch configuration and not forced to rebuild the system from scratch. This capability should be an unconditional, required feature of patches or product updates. (Reportedly, Microsoft is working on this feature.) Third, patches to fix security- or critical operational-r
[ISN] Deputy CIO at Homeland Security Department placed on leave
http://www.computerworld.com/securitytopics/security/story/0,10801,81879,00.html By LINDA ROSENCRANCE JUNE 06, 2003 Computerworld Laura Callahan, the deputy CIO of the U.S. Department of Homeland Security (DHS), was placed on paid administrative leave last week after questions surfaced about her academic qualifications, a DHS spokeswoman confirmed. The move came after members of Congress contacted department officials demanding answers to questions about her academic background, as well as about the department's policy on background checks. On her resume, Callahan, who was appointed to the position on April 1, said she received her academic degrees, including a doctorate in computer information systems, from Hamilton University in Evanston, Wyo. However, the congressmen, including Rep. Carolyn Maloney (D-N.Y.), contend that according to published reports, Hamilton isn't licensed by that state, nor is the school accredited by the U.S. Department of Education. The congressmen said Hamilton is a "diploma mill." "What is troubling to me is that a senior official in the Department of Homeland Security in the office of the CIO would have a questionable degree in computer information systems," Maloney said in a letter dated June 4 to Homeland Security Secretary Tom Ridge. "I would hope that checking credentials on a resume is a standard procedure in any background check." DHS spokeswoman Michelle Petrovich said the department is investigating the allegations. She declined to comment on the department's procedures concerning background checks. In 2001, Callahan was deputy CIO at the U.S. Department of Labor, and in 2002, she also became that department's IT center director. A spokesman for the Labor Department referred Computerworld to the Office of Personnel Management. The Labor Department couldn't be reached for comment at deadline. This isn't the first time Callahan has been embroiled in controversy. In March 2000, she was one of two White House officials accused of threatening Northrop Grumman Corp. workers with jail unless they kept quiet about the disappearance of thousands of White House e-mails, according to press reports at the time. Callahan was the White House webmaster under the Clinton administration, and Los Angeles-based Northrop Grumman ran the White House computer system at the time. The e-mails in question had been subpoenaed during congressional and judicial criminal inquiries that included investigations into campaign finance abuse during the 1996 presidential campaign. Callahan testified under oath at a congressional hearing that she never threatened anyone over the e-mails. The outcome of the investigation couldn't be determined. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Homeland Security creates cybersecurity division
http://www.nwfusion.com/news/2003/0606homelsecur2.html By Grant Gross IDG News Service 06/06/03 WASHINGTON - The U.S. Department of Homeland Security (DHS) has launched a cybersecurity center, but not all cybersecurity experts welcomed the move of the former White House cybersecurity office to a division at DHS. The 60-person division, called the National Cyber Security Division, will report to Robert Liscouski, the assistant secretary of homeland security for infrastructure protection, and will be part of the department's Information Analysis and Infrastructure Protection Directorate. DHS is actively looking for a person to head the new division who will have similar responsibilities to the former position of cybersecurity czar at the White House, according to a DHS spokesman. The head of the division "would be the person whose sole focus in terms of infrastructure protection is cyber," said David Wray, a DHS spokesman. "We've been quietly looking for the right kind of candidate, and now we're actively looking." The new division is already operating and will focus on reducing the vulnerabilities to the federal government's computing networks and working with the private sector to help protect other critical pieces of cyberspace, DHS announced Friday. While some in the IT community cheered the move, William Harrod, director of investigative response for TruSecure, a security software vendor, questioned the positioning of the division within DHS. Harrod noted that the new cybersecurity division will not report directly to DHS Secretary Tom Ridge, although until April, the White House had a cybersecurity czar. "I think it downgrades the visibility of the position within the administration," Harrod said of the new DHS division. "For organizations that want to follow someone who's carrying the banner of cybersecurity, it's a lower-profile position." With the apparently lower profile of cybersecurity within the Bush administration, Harrod said he's worried that there may be a decreased emphasis on pursuing cybercriminals. "It's sending the message to big business that this isn't a high priority," he said. "They're not going to have ability to generate the sway or have the leadership or commitment... as they had with a cyberspace czar who reported directly to Bush." Wray, from DHS, said the cybersecurity division wouldn't make sense anywhere else. Before the White House released its National Strategy to Secure Cyberspace in February it made sense to have a cybersecurity czar there to champion the cause, Wray said, but now the issue needs a division to carry out policies. "Now we've got a great strategy," he added. "This is a natural evolution for going from strategic thinking to execution." Others in the IT community agreed with DHS. Alan Paller, research director at the information security researcher SANS Institute, said the new division will have the resources to go after cybercrime, whereas former White House cybersecurity czar Richard Clarke had few resources to do anything but "jawbone." If DHS wanted to downplay cybersecurity, it would bury the division under its physical terrorism division, Paller said, but this move makes cybersecurity an equal player. "I don't think this move says the Bush administration is soft-pedaling cybercrime," Paller added. "This act today in no way confirms that. It looks to be moving in the other direction." Robert Holleyman, president and CEO of the Business Software Alliance, also cheered Friday's announcement. Improving cyberspace security will require a long-term, aggressive public-private partnership, he said in a statement. "We all have a responsibility to make this work," Holleyman added in the statement. "Meeting the information security challenge is not just the job of the government, it is everyone's job. Industry and government can set the example by making sure that this issue is addressed at the top level of every organization." According to a DHS press release, the new division's goals will be to: -- Identify risks and help reduce the vulnerabilities to government's cyber assets and coordinate with the private sector to identify and help protect U.S. critical cyber assets. -- Oversee a consolidated Cyber Security Tracking, Analysis, & Response Center (CSTARC), which will detect and respond to Internet events, track potential threats and vulnerabilities to cyberspace, and coordinate cybersecurity and incident response with federal, state, local, private sector and international partners. -- Create, in coordination with other appropriate agencies, cybersecurity awareness and education programs and partnerships with consumers, businesses, governments, academia, and international communities. Paul Roberts in Boston contributed to this story. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Fear drives irrational security decisions
http://www.globetechnology.com/servlet/story/RTGAM.20030605.gtwkapi/BNStory/Front/ By JACK KAPICA [EMAIL PROTECTED] Globe and Mail Update Jun. 5, 2003 It was bad enough that, before 2001, security companies that had products and services to sell generated most of the fear of being hacked on the Internet. But after the 9/11 terrorist attacks, things got wonky. Prophets of doom appeared at every corner, issuing dire warnings of enormous financial losses. And the U.S. government, dipping its pen into propaganda, raised the fear factor by creating the National Strategy to Secure Cyberspace, a list of ''policy initiatives'' issued by the Bush Administration's Department of Homeland Security to combat ill-defined threats. This is not to diminish the damage hackers have done, which is very real, and the necessity for tighter security as corporations move more of their valuable business on-line. But with fear running high, it's tough to make clear-headed decisions about securing systems to minimize damage. Delegates flocking to Toronto for the 2003 Infosecurity Conference this week should be asking themselves about this, especially in light of the eighth annual Computer Crime and Security Survey, released last week by the Computer Security Institute and the San Francisco Federal Bureau of Investigation's Computer Intrusion Squad. The CSI/FBI survey did more to muddy the waters than to clear them. While overall financial losses, as reported by corporate respondents, had dropped by more than half from the previous year, from $455-million to $202-million (U.S.), the number of attacks remained about the same. Not surprisingly, the results were called "disturbing" by CSI director Chris Keating, who added that "more must be done" to improve security. It's worth examining the results of the CSI/FBI survey because it is one of the most respected in its field; yet its primary purpose is not accuracy. Mr. Keating himself said that through the eight years of conducting the survey, CSI has "delivered on its promise to raise the level of security awareness" -- in other words, the survey's job is to promote (or sell) security. To get a better fix on accuracy, I put the question to Mary Kirwan, senior director of Mississauga-based Kasten Chase Applied Research, which specializes in on-line security. Ms. Kirwan, a lawyer by profession and trained in statistics, expressed misgivings. She said she had problems with two main areas: the response rate to the survey, and the kind of people who answered. The CSI/FBI survey has a historical response rate of between 9 and 15 per cent, too low for accurate analysis. And of that small number -- 530 respondents -- only half admitted to cyberattacks, and only 30 per cent told law enforcement officials about them. Moreover, statistics for the survey were collected mainly from corporate security specialists, and they are "usually too far down the totem pole to report an accurate figure" of their losses, Ms. Kirwan said; even if qualified, they are hesitant to admit to losses for fear of damaging their image. While three-quarters of the respondents reported some financial loss, only 45 per cent would tell the survey how much. Also significant, Ms. Kirwan said, was the fact that 22 per cent of the respondents confessed they didn't even know whether their security had been breached. With numbers like these, the results of the survey become questionable -- but it must be added that they are not entirely inaccurate. The survey confirmed some broad trends that most specialists in computer security have been seeing. Among them is the growing dominance of two kinds of attack: theft of proprietary information, including identity theft (which caused the greatest losses, the survey said, at $70-million), and denial-of-service attacks (the second most expensive computer crime, amounting to losses of $65-million, up 250 per cent from last year's losses). The rankings reflect Kasten Chase's own findings. Ms. Kirwan's experience is that most cases of theft of proprietary information and identity theft are inside jobs done by disgruntled employees, and denial-of-service attacks are usually the work of "script kiddies," young amateur attackers who download a malicious program from the Internet and launch non-profit attacks purely for bragging rights to their friends, a form of vandalism. Corporate interests would therefore be well advised to protect themselves against random vandalism, using any number of available measures to ward off denial-of-service attacks. And it's not enough to install antivirus programs, firewalls and access-control technologies when the enemy is already behind the firewall, on the payroll and armed with a legal password; aside from more reliable in-house systems policies, more effort should be put into a review of corporate attitudes to their own work forces, into whose hands they have placed tools of incredible power. Ms. Kirwan wisely advised that we should not
[ISN] Feds escape Bugbear bite
http://www.fcw.com/fcw/articles/2003/0602/web-virus-06-06-03.asp By Rutrell Yasin June 6, 2003 The variant of the Bugbear computer worm that started to spread throughout the Internet on June 5 doesn't appear to have adversely impacted federal agencies, according to initial reports from cybersecurity experts. Hit by a wave of fast-spreading, Internet-borne viruses over the past few years, agencies, like many corporations, have moved to shore up virus protection and cyberdefenses, agency security officers and security experts noted. Bugbear is an Internet mass-mailing worm. Once activated on a computer, the worm e-mails itself to addresses found on the local system. The sender address in a message can be spoofed, or forged, and so is not a direct indication of an infected user. Bugbear spreads using network shares and by mailing itself using the default Simple Mail Transfer Protocol engine. Users will know that they have been infected by the presence of a non-standard .EXE file in the startup folder, virus experts said. "We have not seen any of our government customers infected," said Peter Stapleton, product marketing manager at NetSec Inc., which provides security services for nine cabinet-level departments including the departments of Agriculture, Justice and the Treasury. "We've advised all of our clients they should not allow executable files through the e-mail server," Stapleton said. Blocking executable content at the e-mail gateway has become a standard policy of many agencies over the past two to three years, said Jimmy Kuo, a member of Network Associates Inc.'s AntiVirus Emergency Response Team (AVERT). As a result, Network Associates' government clients, such as the Defense Information Systems Agency and the Department of Veterans Affairs, weren't infected with the Bugbear variant. Veterans Affairs cybersecurity chief Bruce Brody confirmed Kuo's claims, noting that Bugbear's impact was "negligible." He added, "Our antivirus defenses are robust." The Department of Defense also viewed Bugbear as a low-level threat. "The Joint Task Force-Computer Network Operations, in coordination with the Department of Defense Computer Emergency Virus Response Team, assesses viruses and their potential impact to DOD systems," according to a JTF-CNO spokesman in a statement e-mailed to FCW. The DOD works closely with industry partners and virus protection vendors to ensure that the agency stays up to date on antivirus signatures and that they are deployed across DOD's global information network. "Because we continuously and rapidly take such proactive measures, the JTF-CNO and the DOD CERT have assessed the impact of the named viruses as low threat and note no significant impact to date," the DOD spokesman said. The Bugbear variant was still spreading through the Internet on Friday, prompting virus protection teams at Network Associates and Symantec Corp. to classify the worm as a high risk. Symantec Security Response analysts had tracked 1,002 submissions of the variant, known as W32.Bugbear.B, by Friday, said Vincent Weafer, senior director of Symantec Security Response. Symantec analysts don't think the worm's spread has peaked yet. By comparison, the original Bugbear worm was discovered on Sept. 30, 2002 and peaked in its fifth day with 6,888 submissions. Dan Caterinicchia and Judi Hasson contributed to this story. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Linux Advisory Watch - June 6th 2003
++ | LinuxSecurity.comLinux Advisory Watch | | June 6th, 2002 Volume 4, Number 22a | ++ Editors: Dave WreskiBenjamin Thomas [EMAIL PROTECTED] [EMAIL PROTECTED] Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilitiaes that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for maelstrom, apache, tomcat, kernel, wget, file, lprng, cups, ghostscript, kon2, gnupg, squirrelmail, xinetd,lprng, lv, and httpd. The distributors include Gentoo, Immunix, Mandrake, OpenPKG, Red Hat, Turbolinux, and Yellow Dog. This week there were several new advisories. Red Hat and others released several patches to their 2.4 kernel. For those of you using PPC architecture and running Yellow Dog Linux, this is your week. Eight new advisories were released, but most of these were fixes to known problems. Many would argue that late is better than never. :) Last week, I wrote about several choices a system administrator can make to achieve a secure system. However, I did not discuss why someone would want to pay particular attention to security. Perhaps it is because your boss demands it, or because you are responsible and take special pride in maintaining a secure system. Several industries are madated by the US federal government to ensure privacy and security. If you are familiar the health care industry, you have probably heard about HIPAA (The Health Insurance Portability and Accountability Act of 1996), or if you you work closely with the the financial industry, you've heard of the Graham-Leach-Bliley Act. If you have been to the doctor's office, dentist, or pharmacist in the last few months, you should have been asked to sign several forms that inform you of your privacy rights. This is a requirement of the HIPAA privacy rule. Now, companies are working achieve compliance with the second part of HIPAA, the security rule. Compliance must be met by April 21st 2005. You may be asking yourself, "I'm not part of the heath care industry, why should I care?" The HIPAA security rule (164.308-164.312) provides a high level outline of what it takes to achieve security in an organization. It outlines administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and maximum availability of data. The Department of Health and Human Services has made a strong effort to ensure that all mandatory and addressable rules follow industry standards. The security requirements have been scrutinized and modified at the request of health care industry leaders. Addressing each of the rules prescribed by HIPAA should not be viewed as a hindrance, but as good business practice. Although every organization has an established method for maintaining security, a lot can be learned from HIPAA. No matter what industry you're in, you should take a moment to review the requirements and apply the principles to everyday operation. The final published security rule can be found in the Federal Register, Volume 68, No. 34. Some of the major parts of the security standards include the security management process, incident procedures, contingency planning, workstation security, audit controls, integrity, authentication, etc. In short, the point I am trying to make is that the standards proposed by HIPAA can be applied to almost any organization. Although I believe they are far from perfect, they can be quite helpful. If you have any questions on how the HIPAA standards can be applied to your organizations, please feel free to write. Until next time, [EMAIL PROTECTED] >> Need to Secure Multiple Domain or Host Names? << Securing multiple domain or host names need not burden you with unwanted administrative hassles. Learn more about how the cost-effective Thawte Starter PKI program can streamline management of your digital certificates. Click here to download our Free guide: http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte20 FEATURE: Real-Time Alerting with Snort Real-time alerting is a feature of an IDS or any other monitoring application that notifies a person of an event in an acceptably short amount of time. The amount of time that is acceptable is different for every person. http://www.linuxsecurity.com/feature_stories/feature_story-144.html * Comprehensive SPAM Protection! - Guardian Digital's Secure Mail Suite is unparalleled in security, ease of management, and features. Open source technology constantly adapts to new threats. Email firewall, simplified administration, automatically updated. --> http://guardiandigital.com/cgi-bin/ad_redirect.pl?id=mailnews2 --
[ISN] Cryptography at the core of sound IT security
http://www.computerworld.com/securitytopics/security/story/0,10801,81955,00.html By Chris Conrath ITWorldCanada.com JUNE 09, 2003 TORONTO - Whitfield Diffie, chief security officer at Sun Microsystems Inc., likes to dole out his first tenet of IT security -- one no one should forget. "Whenever you have a secret, you have a vulnerability." The tenet, given during the keynote at the Infosecurity Canada conference in Toronto last week, points to one of cryptography's -- and IT security's, for that matter -- basic pillars: if you have something you want to control, you have a problem. Diffie, who is best known for his discovery of public key cryptography more than a quarter century ago, spoke via satellite to a packed room of IT experts, all of whom are trying to come to grips with their growing difficulties controlling corporate information. "The problem has diversified out around the solutions," he said, noting that increased use of cell phones, pagers and mobile computing devices has made an already difficult situation worse. Regardless, there is too much business value passing through these devices for the security issues to be ignored, he added. Part of the larger problem is that there is no one effective way to channel cryptographic needs since there are so many different protocols, he said. Diffie traced the entire security issue back to the origins of cryptography hundreds of years ago, but he keyed in on radio as the first example of a new technology that made the dissemination of information easy but the control proportionally more difficult. It was a great way to communicate but everyone else had access to your data, he explained. Diffie asserted that companies will have to get a lot better at protecting their proprietary data if they don't want to find themselves in the position of the dress designer who hands a pattern to a dress maker only to find knock-off copies being produced days later. The solution may lie in the use of the new advanced encryption standard (AES) Rijndael, Diffie offered, "If AES is as strong as it appears. "Assuming we are correct and the system is sound" we are looking at tens of thousands of years before it could be cracked, he explained. This assertion seems open for debate. In a Bruce Schneier CryptoGram newsletter late last year, Schneier brought up the possibility that AES could be cracked by techniques faster than brute force. However, even Schneier -- himself a world renown cryptographer -- said there is no need to panic, as the discussion around AES' vulnerability is entirely theoretical. Diffie added that even with the advent of quantum computing in the near future, AES "traffic is not going to be read in the foreseeable future." - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] IT Managers See Need for Risk Metrics
http://www.computerworld.com/securitytopics/security/story/0,10801,81897,00.html By JAIKUMAR VIJAYAN JUNE 09, 2003 Computerworld WASHINGTON -- Technology managers trying to justify and prioritize IT security spending are searching for some way to quantify the risk management benefits. But a lack of standard processes and the wide variability of factors that affect risk are making it hard for companies to collect such metrics, users said last week at a conference here organized by Gartner Inc. "There is an increasing focus on measuring security effectiveness," said Carl Cammarata, chief information security officer at automobile association AAA Michigan in Dearborn. Companies are realizing that "you can't manage what you can't measure." Driving the trend is the fact that security budgets have been rising by 20% annually over the past couple of years, said Richard Hunter, an analyst at Stamford, Conn.-based Gartner. "These have been pure costs, and CIOs and CEOs are asking what they are getting from all that [spending]," Hunter said. "If the response is, 'You are getting better security,' the next question is, 'How do you know?' " As a result, security administrators are under growing pressure to find quantitative measures to demonstrate the efficacy of their security strategies. "You need to have a baseline to measure against. If you don't have any measurements, you don't know where you are," said Gregory Waters, a senior information assurance engineer at TWM Associates Inc., an IT auditing firm in Fairfax, Va. The numbers can come from a variety of sources. For example, said Gartner, a company could collect metrics on the number of attacks it faced during a specific period, the type of attacks, the percentage of attacks that were successful, the time that elapsed between the onset of an attack and when it was first detected, and the time it took to launch countermeasures. The metrics could also relate to a company's overall risk profile based on an assessment of the vulnerabilities and threats faced by an organization and the countermeasures in place to deal with them. Meaningful Metrics Some vendors, such as Foundstone Inc. in Mission Viejo, Calif., and TruSecure Corp. in Herndon, Va., offer tools they say will help companies numerically score their risk on a sliding scale based on such assessments. Used properly, such metrics can help security administrators give business managers a better snapshot of a company's risk profile, Cammarata said. At AAA, merely using statistics and benchmarks from organizations such as the SANS Institute in Bethesda, Md., and the Computer Security Institute in San Francisco no longer cut it, Cammarata said. "My managers want to know what these statistics mean to my organization specifically," he said. Consequently, AAA is planning to gather internal metrics to build a one-page "dashboard" that will give managers a better, more relevant picture, he said. Northrop Grumman Mission Systems in Reston, Va., is pursuing a similar dashboard approach, said CIO Diane Murray. "It will give us a high-level management view of how well we are doing" on the security front, she said. Such information can also be useful to auditors for evaluating a company's compliance with regulatory requirements. But gathering such metrics and using them in a meaningful way can be hard, especially when dealing with an issue such as risk, said Bill Spernow, chief information security officer at the Georgia Student Finance Commission in Tucker. "The raw statistics that we need to create a measurable foundation do not exist," he said. Moreover, numbers may not always tell the full story, because there are too many variables and dependencies involved in measuring risk, Spernow said. At best, they are "trend indicators" that could create a "false sense of security" if relied upon solely, he added. Standards such as ISO 17779, which covers IT governance and data security, can provide a good basis for understanding what's needed to build effective IT security, he said. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Linux Security Week - June 9th 2003
+-+ | LinuxSecurity.comWeekly Newsletter | | June 9th, 2003 Volume 4, Number 23n | | | | Editorial Team: Dave Wreski [EMAIL PROTECTED]| | Benjamin Thomas [EMAIL PROTECTED] | +-+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "OpenBSD Gets Harder to Crack," "Quantum Cryptography Stretches 100 Kilometres," "Fear Drives Irrational Security Decisions," and "Building Firewalls with iptables." LINUX ADVISORY WATCH: This week, advisories were released for maelstrom, apache, tomcat, kernel, wget, file, lprng, cups, ghostscript, kon2, gnupg, squirrelmail, xinetd,lprng, lv, and httpd. The distributors include Gentoo, Immunix, Mandrake, OpenPKG, Red Hat, Turbolinux, and Yellow Dog. http://www.linuxsecurity.com/articles/forums_article-7394.html >> FREE Apache SSL Guide from Thawte << Are you worried about your web server security? Click here to get a FREE Thawte Apache SSL Guide and find the answers to all your Apache SSL security needs. Click here to download our Free guide: http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte21 FEATURE: Real-Time Alerting with Snort Real-time alerting is a feature of an IDS or any other monitoring application that notifies a person of an event in an acceptably short amount of time. The amount of time that is acceptable is different for every person. http://www.linuxsecurity.com/feature_stories/feature_story-144.html * Comprehensive SPAM Protection! - Guardian Digital's Secure Mail Suite is unparalleled in security, ease of management, and features. Open source technology constantly adapts to new threats. Email firewall, simplified administration, automatically updated. --> http://guardiandigital.com/cgi-bin/ad_redirect.pl?id=mailnews2 LINSECURITY.COM FEATURE: Intrusion Detection Systems: An Introduction By: Alberto Gonzalez Intrusion Detection is the process and methodology of inspecting data for malicious, inaccurate or anomalous activity. At the most basic levels there are two forms of Intrusion Detection Systems that you will encounter: Host and Network based. http://www.linuxsecurity.com/feature_stories/feature_story-143.html Concerned about the next threat? EnGarde is the undisputed winner! Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you. http://guardiandigital.com/cgi-bin/ad_redirect.pl?id=newsletter +-+ | Host Security News: | <<-[ Articles This Week ]- +-+ * Cutting Spam Down To Size June 6th, 2003 How many clever or not-too-clever phrases have been written about people's feelings concerning spam, that is, unwanted commercial e-mail? We'd like to can it, kill it, squash it, fry it and shred it. Yet it still keeps popping up in the in-box, mocking us to do something about it. http://www.linuxsecurity.com/articles/privacy_article-7404.html * Flexible OS Support and Applications for Trusted Computing June 6th, 2003 Trusted computing (e.g. TCPA and Microsoft's Next-Generation Secure Computing Base) has been one of the most talked about and least understood technologies in the computing community over the past year. The capabilities trusted computing provides have the potential to radically improve the security and robustness of distributed systems. http://www.linuxsecurity.com/articles/security_sources_article-7395.html * OpenBSD Gets Harder to Crack June 4th, 2003 On the security field, nothing is quite as revealing--or as taxing--as the passage of time. By that measure in particular, the OpenBSD development team's OpenBSD operating system stands out. http://www.linuxsecurity.com/articles/vendors_products_article-7387.html ++ | Network Security News: | ++ * Quantum Cryptography Stretches 100 Kilometres June 5th, 2003 Communications protected with the complete security of quantum cryptography are now possible over an ordinary 100-kilometre fibre optic cable, thanks to sophisticated photon detection equipment developed by UK researchers. http://www.linuxsecurity.com/articles/cryptography_article-7392.html * Security Standards Could Bols
[ISN] US warns banks worldwide about BugBear virus
Forwarded from: William Knowles <[EMAIL PROTECTED]> http://www.smh.com.au/articles/2003/06/10/1055010959747.html Washington June 10 2003 The US government is warning financial institutions about a virus-like infection that has targeted computers at roughly 1200 banks worldwide, trying to steal corporate passwords. The FBI is investigating what private security experts believe to be the first internet attack aimed primarily at a single economic sector. Virus experts studying the blueprints for the latest threat to internet users were astonished to find inside the software code a list of roughly 1200 web addresses for many of the world's largest financial institutions, including JP Morgan Chase & Co, American Express Co, Wachovia Corp, Bank of America Corp and Citibank NA. The destructive infection, known as "BugBear.B," has spread to tens of thousands of consumer computers across the internet since last week, but investigators and industry experts said they were unaware if any financial institutions had been significantly affected. Industry executives told US Treasury Department officials and other banking regulators during a meeting in Washington yesterday that while they were concerned that the infection targeted them, they were unaffected because of tight corporate security. The infection "was hammering the outside servers but it was being rejected," said Suzanne Gorman, head of the Financial Services Information Sharing and Analysis Centre, a bank cybersecurity organisation that works with the US government. "People weren't reporting that it got through to their personal organisations." The analysis centre had distributed information from the Homeland Security Department to US banks using its highest-priority alert on Thursday, Gorman said. The discovery of the banking web addresses inside the software code "raised a lot of eyebrows," she said. FBI spokesman Bill Murray confirmed the agency was trying to trace the author of the attacking software. Experts said the BugBear software was programmed to determine whether a victim used an email address that belonged to any of the 1300 financial institutions listed in its blueprints. If a match was made, it tried to steal passwords and other information that would make it easier for hackers to break into a bank's networks. The software transmitted stolen passwords to 10 email addresses, which also were included in the blueprints. But experts said that on the internet, where anyone can easily open a free email account using a false name, knowing those addresses might not lead detectives to the culprit. "Depending on how those email boxes are used, it could make investigating this a little easier," Murray said. "But it's not that easy. Those addresses may be blind boxes." *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==* - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Army prepping IA policy
http://www.fcw.com/fcw/articles/2003/0609/web-armyia-06-09-03.asp By Dan Caterinicchia June 9, 2003 The Army is preparing an information assurance (IA) policy that will guide the way the service implements a Defense Department IA directive. An enterprise information assurance policy is one of three key pillars needed to support the Army Knowledge Management (AKM) imperatives of defending networks, supporting the Objective Force and lowering the total cost of information technology ownership, said Robert Ringdahl, chief integration officer at Network Enterprise Technology Command's Enterprise Systems Technology Activity. The Army policy is in draft form and should be ready for release by September, Ringdahl said during a June 5 speech at the Army Small Computer Program's IT conference. "It will be the Army's implementation policy of [DOD's 8500.1] directive," he told Federal Computer Week. Directive 8500.1 was issued in late October 2002 and calls for Defense agencies to protect data as it is shared across the Global Information Grid. Furthermore, DOD Instruction 8500.2, dated Feb. 6, sets forth the way that rules and policies in the directive are implemented. The instruction is designed to ensure that information awareness training and education are provided to all military and civilian personnel, specific to their responsibilities for developing, using and maintaining DOD information systems. Col. Ted Dmuchowski, director of information assurance at the Network Enterprise Technology Command, said the new Army policy is really an updated information assurance regulation that will align and consolidate the service's information assurance goals and objectives to support DOD Directive 8500.1 and Instruction 8500.2. "The policy will reduce the manageability requirements of information systems, minimize the effects of unauthorized access or loss, and increase the effectiveness of IA integration as part of the life cycle of all information systems, Dmuchowski said. He noted that the "cornerstone philosophy of Army information assurance" is to: * Design, implement and secure accesses, data, systems and repositories. * Increase trust and trusted relationships. * Employ technical and operational security mechanisms. * Deny all unauthorized accesses. * Permit necessary exceptions to support Army, DOD, and Joint interagency and multinational tactical and sustaining-base operations. In addition to creating the Army's information assurance policy, Ringdahl said the service must deal with two other key pillars to support its AKM imperatives: the role of reimbursable funding vs. cost funding, and the role of Microsoft Corp. -- which appears to be clearer with the May 30 award of an enterprise software agreement. The funding question is "evolving and [is] a topic of intense discussion" among the Army's IT leaders, he said, adding that decisions must be made whether reimbursements will be done at the individual user or major command level. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Oracle Drives Security Deeper
http://www.eweek.com/article2/0,3959,1120074,00.asp By Dennis Fisher June 9, 2003 Oracle Corp. is developing several security tools to help users of the company's software find vulnerabilities and lock down their systems. The tools, which will be released over the next several months, are part of an effort by the company to extend its security commitment to customers beyond simply writing secure code and shipping software in a secure configuration, company officials at the Gartner IT Security Summit here said. The first tools due are scanners of sorts that pore over customer installations and assess which patches have been installed and which still need to be applied, according to Mary Ann Davidson, chief security officer at Oracle, based in Redwood Shores, Calif. The technology will look for all software updates - not just security patches - although it will likely flag missing security fixes differently from other updates. Oracle officials said they hope to have the technology ready this year. The assessment tool is just one in a series of technologies that Oracle will release as part of its plan to make security simpler and less time-consuming. "We try to ship our products secure by default, but we should have better wizards for that," Davidson told eWEEK. "Reading five pages of documentation to lock something down is too much." To address that, Oracle is also at work on an auto-hardening tool that will help administrators identify unneeded services and common configuration mistakes. While the details of this technology are being worked out, the tool will be able to look for database services that are used by attackers and warn admins that services should be turned off if not used often. The tool also will be able to find configuration problems that can lead to vulnerabilities that might be exploited. Davidson estimated the tool will be ready in nine months to a year. The work is an extension of the company's much- publicized campaign to emphasize the security of its products. The effort, which claimed the Oracle database software is "unbreakable," put the spotlight on Davidson and her security team. Oracle is not the first software maker to see the need for these types of tools. Microsoft Corp. has had similar technologies available for some time. In fact, the Redmond, Wash., company last week released a new version of its Baseline Security Analyzer tool, which scans for common security misconfigurations. Oracle plans to provide the new tools to users for free. Customers say there is a definite need for the tools the company is developing. "Oracle has evolved into one of the most flexible databases, and the number of configurations is almost endless," said Don Burleson, CEO of Burleson Oracle Consulting, in Raleigh, N.C., and an Oracle expert. "Oracle has one of the best security models in the world, but the challenge is up to the administrator to make sure the configuration is optimal." - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] The Two Faces of Foundstone
Forwarded from: Alan Smithee <[EMAIL PROTECTED]> http://www.fortune.com/fortune/technology/articles/0,15114,457276,00.htm By Richard Behar [EMAIL PROTECTED] Monday, June 9, 2003 FORTUNE In the Jun. 23, 2003 Issue... George Kurtz may be his own worst enemy. In just four years Kurtz, CEO of Foundstone, and Stuart McClure, its president, created one of the best-known U.S. computer-security companies by exposing the vulnerabilities of software firms. Thousands of FORTUNE 500 executives and government officials--from the FBI and the National Security Agency to the Army, the Federal Reserve, and even the White House--have taken Foundstone's Ultimate Hacking courses, at up to $4,000 per person. Motorola and Bank of America have shelled out more than $300,000 each for Foundstone products, and the company recently installed software to protect the FAA. But it doesn't take the skills of a hacker to see that Foundstone, a privately owned $20-million-a-year company in Mission Viejo, Calif., is in trouble. It has been accused of widespread software piracy by a leading industry trade group, FORTUNE has learned--charges corroborated by current and former Foundstone employees and by computer printouts obtained by the magazine. The trade group, the Software & Information Industry Association, informed Kurtz by letter in May that it intended to pursue copyright-infringement charges against Foundstone. It acted after a confidential source alleged that McClure and Gary Bahadur, Foundstone's chief information officer, routinely spread unlicensed software to the company's 125-member workforce; that Kurtz was aware of that practice; and that in early April the CEO ordered his staff to delete unlicensed software from their computers. "They're gambling with their reputation," says Keith Kupferschmid, head of the association's antipiracy unit, which investigated and found the allegations credible. "That's not a smart thing to do." Kurtz vehemently denies the company engaged in piracy. "We have strict policies against piracy," he says. "We take intellectual property very seriously, given that we are a software company." He adds that Foundstone conducted an internal audit in April, "and we're in compliance." The evidence suggests otherwise. For years, according to former employees, top executives at Foundstone dumped a seemingly endless supply of the latest software onto a company server called Zeus and into a Microsoft Outlook folder called Tools, available to everyone on staff. Employees say they were told to download whatever programs they needed by using license keys registered only to McClure or Bahadur. (Legally Foundstone should have paid for each user.) The unauthorized software ranged in value from $35 to $15,000 per user and included everything from Acrobat to X-WinPro. "They've stolen pretty much everything when it comes to software," says a founding employee who asked not to be named. The company even cracked Microsoft's operating system, Windows XP, says Dan Kuykendall, a former Foundstone software engineer, "so you could install it on multiple computers without any problems." The founding employee estimates that only 5% of the software used at Foundstone was paid for. (Foundstone's lawyers say that only 5% was unlicensed and that the company has spent more than $1.5 million on software.) Foundstone also trained thousands of corporate and government security personnel on software that it duplicated in ways that avoided triggering license fees, according to Kurt Weiss, a training coordinator until last year, who says it was part of his job to copy software packages onto the drives of 40 laptops per class. The use of unlicensed software is a global problem--estimates of lost revenues range up to $13 billion a year--but it's rare among companies whose business is safeguarding intellectual property. "We happen not to have any experience with other security-software companies' doing that," says William Plante, chief investigator at Symantec, a Foundstone competitor. "Especially for a software company interested in protecting its own copyrighted material. If true, it's pretty unconscionable." One software package available on Foundstone's server was Teleport Pro, an offline browser program made by Tennyson Maxwell Information Systems. Only Bahadur had a license, says Michael Del Monte, Tennyson's top developer. "That's a no-no," he says. "Companies are pretty responsible about purchasing licenses for everybody who's going to be using the software. You would think that as a security company, they'd be more careful about that kind of thing." Another software package, UltraEdit, was in Foundstone's Tools folder in violation of its one-user license, the manufacturer says. In some ways the Foundstone tale is a microcosm of the ugly side of the dot-com craze--arrogance, greed, mismanagement, and stupidity. But those are indulgences the computer-security industry can no longer afford. The market for its services has
RE: [ISN] The Two Faces of Foundstone (two messages)
Forwarded from: William Knowles <[EMAIL PROTECTED]> Just a quick note to the fans, founders and employees of Foundstone. I was torn whether or not to post this article, I was floored by how many people sent in a copy of this story. While I am not complaining about users sending in news, (I wish it would happen more than it does) It did have me wondering how many people are really gunning for Foundstone's demise? As for the forwarded from: Alan Smithee, and how there is no remailers using that name, well, all the mail was asking to post this news anonymously. Alan Smithee for the uninformed is the name given by directors who disown their films for any reason. "Alan Smithee" is an anagram for "The Alias Men" http://us.imdb.com/Name?Smithee,+Alan -=- Forwarded from: Steve Manzuik <[EMAIL PROTECTED]> First of all, I have nothing against Foundstone or any of it's employees in fact I have much respect for George Kurtz and the rest of the founding members of Foundstone. But, that being said -- if you compare Hacking Exposed to any of the Big 5 (final 4 maybe) methodologies or "hacking courseware" they are all pretty much the same other than formatting differences. In fact, Foundstone's hacking course is organized and presented in pretty much the exact same manner as one of the Big 5s course. Kudos to George for seeing the opportunity to publish this before the Big 5s did. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Napster founder has cameo role in 'Italian Job'
http://www.siliconvalley.com/mld/siliconvalley/6053592.htm By Dawn C. Chmielewski Mercury News June 10, 2003 The irrepressible Napster is back -- and once again as culturally hip as Mini Coopers and Mark Wahlberg-sized biceps. Need proof? Check out the latest box-office hit, ``The Italian Job,'' in which Napster creator Shawn Fanning makes a cameo as himself. The former bad boy of Internet song swapping fits neatly into the remake of a 1969 thriller about a band of thieves who commit a gold heist in Venice. Fanning is there to establish the hacker credentials of the crew's computer genius, Lyle, who claims that he -- not Fanning -- invented Napster. Fanning appears in a flashback dorm-room scene, grinning as he swipes the program from his sleeping roommate, Lyle. (That's how the service got its name, Lyle laments, ``It's because I was napping when he stole the idea from me!'') It's vintage Fanning. The trademark baseball cap, the sly smirk, the absence of words (hey, Fanning's a quiet guy who speaks most eloquently through his computer code). The film's producer, Donald De Line, said the filmmakers reached Fanning last year through a single phone call to Napster. They sent him the script and invited him to play himself. ``He said, `absolutely,' '' De Line recalled. ``We were shocked.'' The scene was filmed last fall in a classroom of Hamilton High School in Los Angeles, which was made up to look like a dorm room. ``He said that it was a blast,'' said De Line. ``He was extremely polite. Very quiet. Kind of reserved. I thought, who is this kid who is the Napster? I was surprised. I expected something brash and kind of arrogant. He was the opposite.'' We can only guess that, after seeing his creation buffeted into oblivion by the recording industry, Fanning relished his cinematic comeuppance. In one scene, in which Lyle successfully hijacks the Los Angeles Automated Traffic Surveillance and Control Operations Center, the following message flashes across a bank of giant displays. ``You'll never shut down the real Napster.'' - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Case of teen hacking suspect sent to Tokyo prosecutors
http://www.japantimes.co.jp/cgi-bin/getarticle.pl5?nn20030611a8.htm [http://www.zone-h.org/en/defacements/filter/filter_defacer=Sunakuzira/ - WK] The Japan Times June 11, 2003 Tokyo police on Tuesday turned over to prosecutors their case against a 15-year-old high school student suspected of hacking into some 140 Web sites in 23 countries and regions and defacing them with slogans opposing the war in Iraq. According to the cybercrime unit of the Metropolitan Police Department, the youth, who lives in Hamamatsu, Shizuoka Prefecture, hacked into the Web sites of private firms, government organs and educational institutions in Asia, the United States and Europe. The teen holds the dubious honor of having caused the most damage by a Japan-based hacker, they said. According to investigators, the teen said he began studying hacking techniques when he was in the second year of junior high school because he admired computer hackers. Police said he told them that he and a friend started trying to hack into computers around November because they wanted to write antiwar messages. "I first started hacking into Web sites in the U.S. and Britain, but after a while, it didn't matter where the sites were," the youth was quoted as saying. "I was happy to see my techniques improving." According to investigations, the student used a personal computer at his home to set up a so-called attack program to alter the contents of a Web site in Slovakia at around 2:40 p.m. March 28. Using this program, he allegedly went through a server in Thailand to alter the contents of a Web site managed by a company employee in Tokyo's Setagaya Ward to make a message reading "stop the war" appear on the site. The teen always signed his work with the name "Sunakuzira," police said. He apparently downloaded the attack program from the Internet and used the server in Thailand to find foreign sites without being traced. Police discovered the teen's hacking work while trolling the Net in search of cybercrimes and tracked him down through his transmission records. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Agency's high-tech skills exaggerated
http://www.canada.com/technology/story.html?id=C803EBCB-F6A4-435B-B1A1-6D5B4F84172E [ http://www.cia.gov/csi/studies/vol47no1/article07.html - WK] Joseph Brean National Post June 10, 2003 The Central Intelligence Agency is so afraid of losing sensitive information to hackers that its analysts work on outdated and poorly integrated computers, according to a newly declassified report. Today's average CIA spy uses very little fancy gadgetry, the report suggests, and relies instead on a simple workstation built around two computers and two telephones -- one each for secure and unsecure correspondence. But in the agency's deep-rooted culture of suspicion, even the secure computers are bogged down in security protocol. Some files cannot be shared, some cannot be updated, and still others cannot be searched, the report says, and until recently, even Palm Pilots were banned from CIA facilities. All of this has left security analysts struggling to cobble together their reports with incomplete information. When it comes to computer security, the report reads, "hardly anyone asks whether a proposed rule will affect the ability of analysts to do their work." Bruce Berkowitz, the retired officer turned academic who researched the CIA's computer systems for an internal journal, said this institutional paranoia has left CIA analysts five years behind their peers at other government agencies in terms of tech savvy. His report chronicles the inability of security analysts to efficiently share files on ongoing matters or to quickly compile dossiers on breaking issues, such as missile proliferation in an unexpected country. This "technology gap" was brought into stark relief after Sept. 11, 2001, he said, when scores of analysts were re-assigned and "the process was anything but smooth." His conclusion, which comes as the CIA is planning sweeping computer upgrades, is at odds with the widespread, Hollywood-inspired perception of the Agency as a veritable fortress of the highest technology. In reality, the CIA is wary of computers, Mr. Berkowitz writes, and the strength of its fortress is built on an irrational fear of "bogey-men" that compromises efficiency. "Despite what one sees on TV, there is not much 'gee wiz' software at the typical DI analyst's desk. A few analysts use some specialized tools for sorting and displaying data [e.g., terrorist networks], and analysts who cover the more technical accounts use computerized models [e.g., analyzing the performance of foreign weapons]. But these are the exceptions," he wrote. Even the proposed upgrades do not offer much hope, as bureaucratic hurdles will stretch this process out over at least three years. Reg Whitaker, a professor at the University of Victoria specializing in security matters, called the tension between technology and security a "basic contradiction" of security analysis. He said the standard response has been a "culture of need to know," a compartmentalization of information that can be secure but also highly restrictive for anyone who uses the information. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Industrial security gets a Linux lock
http://news.com.com/2100-1009_3-1015389.html By Robert Lemos Staff Writer, CNET News.com June 10, 2003 Control-system specialist Verano has introduced a service and software package to help companies protect their critical infrastructure from digital attacks. The product, dubbed Industrial Defender, aims to close holes in the security surrounding control systems used by utility companies, manufacturers and other industries. Verano announced the first piece, a network monitoring appliance and service, on Tuesday. Moreover, unlike Honeywell, Siemens and many other companies in the industrial application market, Verano doesn't build its products on top of a special version of Microsoft's Windows operating system, but on a security-enhanced Linux (SELinux) system. Originally created by the U.S. government's military security agency, the National Security Administration (NSA), SELinux adds advanced security technology to further lock down the Linux operating system. "Most of today's (control) systems were installed in the '80s and '90s, and weren't designed with security in mind," said Brian Ahern, CEO of the Mansfield, Mass.-based control-system management and security company. Ahern cited penetration tests by Verano's partners that indicate the network security around industrial control systems can be breached in as many as 90 percent of cases. The package is an early effort to target an often-overlooked part of corporate networks: the control systems that monitor and maintain factories, energy plants and other industrial infrastructure. Such networks--the two common types being Supervisory Control and Data Acquisition (SCADA) networks and Distributed Control Systems (DCSs)--have come under intense scrutiny after the Sept. 11 terrorist attacks, as they could be weak points in a strike against critical components of the U.S. infrastructure. While "cyberterrorism" has been the rallying cry of policy makers seeking stricter laws to punish hackers, and of government agencies asking for more funds, the chances and effects of any such attack have been greatly overblown. Instead, Ahern said, Verano's new service and software aims to protect a company's operation from the deleterious effects of a simple cyberattack. "Any industries that are operating in a real-time market can't cut the cord and isolate themselves," he said. "They have remote dial-in capabilities for their remote engineers and have to have a way to guard those entry points." While enterprise network security services do exist, the specialized network devices, or appliances, that monitor a network consume too much bandwidth, Ahern said. Typically, the general devices used in corporate networks can use between 6 percent and 10 percent of the typical 10mbps Ethernet used in most factories and control applications. For real-time control systems, that just won't do, he said. Verano's expertise with control systems and its base of 200-plus industrial customers puts it in good stead, Spire Security analyst Peter Lindstrom said. "Their big value-proposition is that they know the industry," he said. "Their stuff looks just like the products and services available in the enterprise security industry, but they are integrated differently." Verano's Ahern said that getting companies to adopt a Linux-based system will take a few years, more because of the slow pace of the industrial sector than because of any lack of faith in the open-source operating system. "My experience has shown that there is generally a three-year delay between when a technology moves into an enterprise and when it gets onto the plant floor," he said. However, security may be the issue that will speed that adoption cycle up. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] County board can't hack an unsafe network
http://www.uniondemocrat.com/news/story.cfm?story_no=11027 By SCOTT PESZNECKER June 10, 2003 Despite the state budget crisis that's also hitting counties, Calaveras County supervisors on Monday authorized the purchase of a new firewall system to protect the county's computer network from hackers. A firewall is hardware that limits access from the Internet to private networks. The new system, which costs $8,913, will protect all the servers in the county. The current system leaves the county's Web servers unguarded and vulnerable to hackers. If a hacker were to access a Web server, he or she could then access other servers on the network, said Howard Stohlman, director of the county's Technology Services Department. That could put private information such as health records at risk. The purchase will be paid for mostly by money that has been saved within the technology department during the current budget cycle. Maintenance on the service will cost $878 annually starting July 2004. Board of Supervisors Chairman Paul Stein said departments shouldn't be spending the money saved during this budget cycle, predicting the upcoming fiscal year will be just as financially stifling. In the end, though, Stein joined other board members in approving the purchase. Stohlman has said that if a hacker were to break into the county's network, the cost of repairing the damage could be greater than the cost of the new firewall. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Turning the SEGA Dreamcast into a Linux firewall/router
http://www.linuxdevices.com/articles/AT2269911435.html [Slow news day, be thankful :) - WK] by Christian Berger (Jun. 9, 2003) Introduction This highly detailed 101-page how-to article provides the necessary background and procedures to turn a SEGA Dreamcast gaming console into a Linux-based software router with firewalling and virtual private networking capabilities. The article explains how to create the necessary toolchain for compiling both programs and the Linux kernel, and shows how, starting from scratch, you can build a Linux operating system that runs entirely in memory. Why bother? Today, the total costs of ownership (TCO) of a personal computer are so low, that you might wonder: "Why bother to build a software router based on a gaming console?" [...] - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Windows & .NET Magazine Security UPDATE--June 11, 2003
This Issue Sponsored By Shavlik Technologies http://list.winnetmag.com/cgi-bin3/DM/y/eRJb0CJgSH0CBw076e0A1 Windows & .NET Magazine http://list.winnetmag.com/cgi-bin3/DM/y/eRJb0CJgSH0CBw06cX0AX 1. In Focus: Windows 2003 Patches; Responsible Vulnerability Reporting 2. Security Risks - Buffer Overruns in IE 3. Announcements - Get Exclusive VIP Web Site Access! - Learn 10 Ways to Deal with Spam! 4. Security Roundup - News: Windows & .NET Magazine Names TechEd 2003 Best of Show Winners - News: Microsoft Adds New Security Certification Program - News: Microsoft and VeriSign Partner on PKI - Feature: IPSec Enhancements for XP and Win2K 5. Instant Poll - Results of Previous Poll: Windows Update and SUS - New Instant Poll: Certifications and Hiring 6. Security Toolkit - Virus Center - Virus Alert: Bugbear.B - FAQ: How Do I Ensure that GPOs Are Applied When I Move a Computer to a New OU? 7. Event - Security 2003 Road Show 8. New and Improved - Secure Your PC - Token User Authentication - Submit Top Product Ideas 9. Hot Thread - Windows & .NET Magazine Online Forums - Featured Thread: Blocking KaZaA 10. Contact Us See this section for a list of ways to contact us. Sponsor: Shavlik Technologies Shavlik HFNetChkPro - Get 20% off in June! Buy HFNetChkPro in June and receive 20% off! Shavlik HFNetChkPro 4.0, the leader in automated patch management, assesses your network for missing security patches and automatically deploys patches, saving you thousands of hours. It includes loads of features that save time for busy security professionals while offering greater enterprise security. HFNetChkPro 4.0 automates patch remediation for Microsoft Office, Windows Server 2003, Exchange, SQL, Outlook, Java Virtual Machine and more. Now's the time to download our free HFNetChkLT version at www.shavlik.com and take a test drive! http://list.winnetmag.com/cgi-bin3/DM/y/eRJb0CJgSH0CBw076e0A1 1. In Focus: Windows 2003 Patches; Responsible Vulnerability Reporting by Mark Joseph Edwards, News Editor, [EMAIL PROTECTED] You're probably aware by now that Microsoft recently released security patches for Internet Explorer (IE) 6.0, IE 5.5, and IE 5.01, including IE 6.0 for Windows Server 2003. The problems relate to unchecked buffers that could let arbitrary code execute on a user's machine. Patching your machines against these problems is probably critical. You can read about the problems in the article, "Buffer Overruns in IE," in this issue of Security UPDATE. The patch represents the first for the new Windows 2003 OS, and it came less than 2 months after the initial release. It's good to know that the company has taken care of that particular problem quickly, but apparently another patch for the new OS might be necessary soon. According to SecurityFocus, a user reported that Windows systems might be vulnerable to Denial of Service (DoS) attacks under certain conditions. If a Windows 2003, Windows XP, or Windows 2000 system has IP version 6 (IPv6) enabled, an attacker might be able flood the server with Internet Control Message Protocol (ICMP) packets resulting in a DoS condition for the target system. http://www.securityfocus.com/bid/7788 Microsoft is undoubtedly aware of the problem, but at the time of this writing, the company hasn't released a bulletin or patch. The problem is probably moderate and won't affect a huge number of systems because IPv6 isn't as widely deployed as IPv4. Nevertheless, we can probably expect Microsoft to issue a patch soon. Both the recently patched problems with IE and this DoS problem point out that faults found in code used across multiple versions of products families will, more often than not, carry over into the Windows 2003 OS, as has been the case with previous product versions. Speaking of newly reported vulnerabilities, the Organization for Internet Safety (OIS) has finally released its long-awaited draft proposal that outlines a process that security researchers and vendors can use to coordinate their efforts to patch security vulnerabilities. You recall that in 2001, Guardent, Foundstone, BindView, @stake, and Internet Security Systems (ISS) established OIS, which now counts the SCO Group, Network Associates, Oracle, and Symantec among its members. The group initially submitted a draft proposal to the Internet Engineering Task Force (IETF) as a Request for Comments (RFC). However, the IETF decided its forum wasn't suited for guideline proposals about responsible reporting. So the group struck out on its own to finish its draft, "Security Vulnerability Reporting and Response Process," now available to the public at the URL below. http://www.oisafety.org/resources.html According to an OIS press release, the draft "provides specific, p
Re: [ISN] This computer security column is banned in Canada
Forwarded from: Mark Bernard <[EMAIL PROTECTED]> Nice Tony, You are absolutely correct!! Obscurity does not make a problem go away, if fact it does nothing to solve the problem. What it does do is increase the risk of the vulnerability becoming exploited. Obscurity is not a form of risk acceptance but rather a form of plain ignorance. Like most counter measures we need to understand the problem before solving it. The bad guys are writing malicious code so why don't the good guys learn how to do it to so that they can mitigate the likelihood of exploitation. When we do vulnerability assessments or security assurance reviews we write code, check standards, policies and back doors etc... Learning to write malicious code is just another tool for the old tool box. Best regards, Mark, CISM. - Original Message ----- From: "InfoSec News" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 05, 2003 5:39 AM Subject: RE: [ISN] This computer security column is banned in Canada > Forwarded from: Tony | AVIEN / EWS <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] > > There are articles and papers everywhere talking about why Security > Through Obscurity doesn't work as an effective security measure. It is > a bureaucratic dream that if only you pretend the problem doesn't > exist or hide its existence from the general population that the > problem will go away. > > Do the students have to develop new viruses to learn about viruses- > no. But, to quote Albert Einstein "You cannot solve the problem with > the same kind of thinking that has created the problem." > > I think that to develop the next generation of virus defense we need > people to get into the minds of the virus writers and think like them- > use their tools, work the way they work. Maybe by doing so they can > find the chinks in the armor before the bad guys and develop proactive > tools instead of the reactionary virus defense we currently have. > > Read the article I wrote on this controversial topic: > http://netsecurity.about.com/cs/generalsecurity/a/aa060303.htm > > > Tony Bradley, CISSP, MCSE2k, MCSA, MCP, A+ > About.com Guide for Internet / Network Security > http://netsecurity.about.com > > Click here to sign up for the weekly Internet / Network Security > Newsletter: NetSecurity Newsletter - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] IDS: What Lies Ahead?
http://www.eweek.com/article2/0,3959,1124790,00.asp By Dennis Fisher June 11, 2003 A research report saying that intrusion detection systems are outdated and useless has angered some vendors who say that argument deliberately ignores several key facts and discounts IDS' potential. The anger stems from a press release that research firm Gartner Inc. sent out Wednesday. The release touts a recent report that concludes that IDS systems are a complete failure and recommends that enterprise IT managers take whatever money they have allocated for the technology and redirect it toward firewalls. "Intrusion detection systems are a market failure and vendors are now hyping intrusion prevention systems, which have also stalled in the marketplace," said Richard Stiennon, research vice president at Gartner, based in Stamford, Conn. "Functionality is moving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking, as well as antivirus activities." That assessment is part of Gartner's Information Security Hype Cycle, which assigns positions in the cycle to a variety of technologies. IDS is among several technologies listed as "sliding into the trough." Gartner's conclusions have many IDS vendors up in arms. "They're advocating the removal of a layer of defense in-depth. They're saying IDS can't get better. They're wrong on two counts," said Martin Roesch, founder and CTO of Sourcefire Inc., based in Columbia, Md., which sells an IDS system based on the open-source Snort technology that Roesch invented. "That's just ridiculous. They're basically saying that the high-level audit function is useless and high-level inspection is the only thing you need." Other vendors disagree with Stiennon's statements about IDS, but say his thoughts on the convergence of security functions in a single device are accurate. "The statement that IDS is dead and IPS is stillborn, that's all to create emotion. We disagree with the statement that there's no value in IDS," said Tim McCormick, vice president of marketing at Internet Security Systems Inc. in Atlanta, which is in the process of rolling out a line of security appliances that combine IDS, firewall and other functions. "We built a $240 million business by inventing IDS. But the underlying message about convergence is right on. You need all the components. It's not whether IDS is better than a firewall. You need them all." The Gartner report asserts that IDS systems place too many demands on networks and IT staffs and require far too much care and feeding to be effective. Stiennon says that the new generation of firewalls that combine both network and application-level protection are what corporate networks really need. Roesch dismisses this as hype. "I guess we had the intrusion prevention craze and that lasted for about three months and now we have intelligent firewalls," he said. "Proxy firewalls are dead. Long live proxy firewalls." - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
RE: [ISN] This computer security column is banned in Canada
Forwarded from: security curmudgeon <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] : Forwarded from: Tony | AVIEN / EWS <[EMAIL PROTECTED]> : Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] : : There are articles and papers everywhere talking about why Security : Through Obscurity doesn't work as an effective security measure. It is : a bureaucratic dream that if only you pretend the problem doesn't : exist or hide its existence from the general population that the : problem will go away. I don't know where to begin. "Security through obscurity doesn't work" yadda yadda. This has been parroted by a majority of the security industry for a long time. For those who have only been working in the security field for the past two or three years, this is especially true. It seems they read a paper or some CISSP instructor told them and they believed it. Not only believed it, but began preaching it with a fervor typically found in bible schools or cults. If any of these "security experts" would stop to talk about obscurity over a few beers at the next conference, eyes might open a bit more. More on obscurity in a bit. Your second sentence .. I simply can't tell if this is two seperate thoughts put together in the same paragraph, or if you have made the most simple of mistakes when talking about the "security through obscurity" concept. Obscurity isn't pretending the problem doesn't exist. It isn't hiding the existence of a problem typically, just making that problem more difficult to find or reach. In a nutshell, this is no different than putting vulnerable systems behind a strong external layer of security really, where firewalls and IDS guard unpatched Windows NT boxes that haven't seen their first security patch. While the legions of certified security experts tout these policies and concepts, companies are losing out big. Relying on obscurity as the primary means of protection is a bad idea, no one will argue that. But for those taking it one step farther and saying it offers *no* security or "isn't effective", simply don't understand security or obscurity. If you break it down by the cost to implement, it's a much better value than some of the commercial products or security consultants you pay for. It certainly can have a place and is one layer of security a company should consider, in conjunction with other forms of security. : Do the students have to develop new viruses to learn about viruses- : no. But, to quote Albert Einstein "You cannot solve the problem with : the same kind of thinking that has created the problem." To quote Denzel Washington in _Training Day_: "This shit is chess, not checkers". : Read the article I wrote on this controversial topic: : http://netsecurity.about.com/cs/generalsecurity/a/aa060303.htm Bland article, but it did lead me to: http://netsecurity.about.com/cs/generalsecurity/a/aa060103.htm Security Through Obscurity: What You Don't Know CAN Hurt You This two page article barely nicked the surface of security, obscurity or anything related and instead seems to weakly tackle the full disclosure argument more than anything. After hinting about it a little, the article finally concludes: Ignorance is not bliss. Security through obscurity doesnt work. It only means that the bad guys know things that you dont and will exploit your ignorance to the fullest every opportunity they get. If we look at the basic definition of obscurity: http://dictionary.reference.com/search?q=obscurity 2a: The quality or condition of being unknown 2b: One that is unknown. 3a: The quality or condition of being imperfectly known or difficult to understand 3b: An instance of being imperfectly known or difficult to understand. Your point is that obscurity is a scenario where you don't know something about your network and the attacker does. This is fundamentally wrong, even if you use the "security through obscurity" maxim like most security experts preach. Obscurity is not ignorance, it is making something more difficult to find or more unknown to the attacker. It doesn't necessarily equate to ignoring your own problems or vulnerabilities. Loyal ISN readers should add dictionary.com to their arsenal along with netsecurity.about.com I think. Now, let's apply this to the most basic of scenarios in a network environment and see if your assertion holds true. Let's take a machine running a web server as an example, since it is a favorite place for attackers to start. Instead of running Apache or IIS or Lotus, let's run something different, that most people haven't run into, and call it BradleyHTTP. In this software, we don't identify the version of software we run, we return 301 instead of 404 and redirect them to the front page, etc. These changes sound like they meet the criteria of making the server "imperfectly known or difficult to understand" since it isn't giving clear answers to many requests (namely 404 in this example) that others do. As such, it is using obscurity as one of many layers o
RE: [ISN] This computer security column is banned in Canada
Forwarded from: "Skroch, Michael" <[EMAIL PROTECTED]> All, I appreciate the side discussion on obscurity as an issue in security. While I agree that unbounded reliance on obscurity is ignorant, one should also consider that obscurity is a vital component of a strategic or system view of security--it is valuable and useful. As such, I wanted to point out that unbounded belief that "obscurity is no form of security" ignores useful techniques. I also acknowledge that my point is somewhat off topic considering the specific topic at hand, but might be useful overall. Here are some examples: => Symmetric-key Cryptography uses a key that must be maintained as "obscure" or a secret in order for security to be maintained. => It makes sense to keep an identified particular flaw or vulnerability "obscure" until one issues a method to resolve the flaw. Computer incident response groups often use this technique. => In the paradigm of "deter-prevent-detect-react-recover" on a network one wishes to defend, one may implement an obscuring mechanism after detection (as a reaction). The purpose of this is to temporarily stop or slow down the adversary until one can further react or recover. A common thread here is that these methods of obscurity have diminishing value over time. In the first case, one should periodically change keys in a symmetric-key cryptographic system. In the second case, it is foolish to not issue a patch or solution in rapid order. In the third solution, one cannot use the obscuring mechanism all the time because either the adversary would know about it before the attack or a performance degradation may be a feature of the mechanism that is acceptable under attack, but not during other periods. Also, the obscuring mechanism can be analyzed over time, and the attack may only lend the defenders minutes, hours, or days. So I suggest that even with issues surrounding malicious code, obscurity has a place, but must be considered as a tool with diminishing value over time. How fast that value decays depends on the system context and other risks, such as those suggested by Mark and Tony. -- Michael J. Skroch (skraw) Manager, Information Operations Red Team & Assessments http://www.sandia.gov/iorta/ -Original Message- From: InfoSec News [mailto:[EMAIL PROTECTED] Sent: Thursday, June 12, 2003 1:40 AM To: [EMAIL PROTECTED] Subject: Re: [ISN] This computer security column is banned in Canada Forwarded from: Mark Bernard <[EMAIL PROTECTED]> Nice Tony, You are absolutely correct!! Obscurity does not make a problem go away, if fact it does nothing to solve the problem. What it does do is increase the risk of the vulnerability becoming exploited. Obscurity is not a form of risk acceptance but rather a form of plain ignorance. Like most counter measures we need to understand the problem before solving it. The bad guys are writing malicious code so why don't the good guys learn how to do it to so that they can mitigate the likelihood of exploitation. When we do vulnerability assessments or security assurance reviews we write code, check standards, policies and back doors etc... Learning to write malicious code is just another tool for the old tool box. Best regards, Mark, CISM. - Original Message - From: "InfoSec News" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, June 05, 2003 5:39 AM Subject: RE: [ISN] This computer security column is banned in Canada > Forwarded from: Tony | AVIEN / EWS <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] > > There are articles and papers everywhere talking about why Security > Through Obscurity doesn't work as an effective security measure. It is > a bureaucratic dream that if only you pretend the problem doesn't > exist or hide its existence from the general population that the > problem will go away. > > Do the students have to develop new viruses to learn about viruses- > no. But, to quote Albert Einstein "You cannot solve the problem with > the same kind of thinking that has created the problem." > > I think that to develop the next generation of virus defense we need > people to get into the minds of the virus writers and think like them- > use their tools, work the way they work. Maybe by doing so they can > find the chinks in the armor before the bad guys and develop proactive > tools instead of the reactionary virus defense we currently have. > > Read the article I wrote on this controversial topic: > http://netsecurity.about.com/cs/generalsecurity/a/aa060303.htm > > > Tony Bradley, CISSP, MCSE2k, MCSA, MCP, A+ > About.com Guide for Internet / Network Security > http://netsecurity.about.com > > Click here to sign up for the weekly Internet / Network Security > Newsletter: NetSecurity Newsletter - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] [defaced-commentary] Guilty plea in Al-Jazeera site hack
-- Forwarded message -- Date: Thu, 12 Jun 2003 20:52:22 -0400 (EDT) From: security curmudgeon <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [defaced-commentary] Guilty plea in Al-Jazeera site hack Guilty plea in Al-Jazeera site hack By Robert Lemos Staff Writer, CNET News.com June 12, 2003, 12:30 PM PT http://news.com.com/2100-1002-1016447.html A central California man plead guilty Thursday to two charges stemming from an attack on the Web site of the Arab news service Al-Jazeera during the early days of the Iraq conflict. In a plea agreement with the U.S. Attorney's office for the Central District of California, John William Racine II, a 24-year-old Web designer, admitted to tricking VeriSign subsidiary Network Solutions into giving him ownership of the aljazeera.net domain. Racine said he then redirected visitors to that Internet address to another site, where they were greeted by an American flag and the phrase "Let freedom ring." The Norco, Calif., resident turned himself in to FBI agents on March 26, according to the plea agreement. "Racine gained control of the aljazeera.net domain name by defrauding Network Solutions, where Al-Jazeera maintained an account for its domain name and e-mail services," the U.S. Attorney's office said in a statement. Racine, also known as "John Boffo," used a false photo identification card and forged signature to impersonate an Al-Jazeera systems administrator and get control of Al-Jazeera's account, according to the plea agreement. In doing so, he gained control of where any data sent to aljazeera.net--including Web page requests and e-mail--ultimately ended up. The actual defacement appeared on a free Web site service provided by NetWorld Connections. Technically known as a "redirect," the hack caused Web browsers that attempted to go to www.aljazeera.net--as well as the English-language site, english.aljazeera.net--to be surreptitiously redirected to the content hosted on NetWorld's servers and see the American flag instead. For an entire week in late March, Al-Jazeera had to contend with technical problems and hackers that caused the site to be unavailable as often as not. The Arabic and English news service, based in Doha, Qatar, found itself the focus of controversy during the war in Iraq for its coverage of the conflict. Opponents charged the Arab news group with bias, but many others have tuned into the young network's TV broadcasts and Web site for an alternative view of the issues surrounding the war and America's occupation of the Middle Eastern country. Al-Jazeera also had to face its reporters being barred from the New York Stock Exchange and the Nasdaq after the Pentagon criticized the news agency coverage of the war. Some U.S. officials commented that pictures and video that showed prisoners of war and dead American soldiers violated the Geneva Conventions on the treatment of captured soldiers and casualties. The plea agreement states that on March 24, after the initial verbal salvos between U.S government officials and Al-Jazeera, Racine searched the Internet and found that Muhammed Jasim AlAli was listed as the administrative contact for the Arab news service's Internet domain, aljazeera.net. He then created an account on Microsoft's Hotmail and impersonated AlAli in telephone messages and e-mail to VeriSign, claiming that he needed to have the account password changed. Unable to answer a challenge question by a VeriSign employee, he said he would call back later. Racine then created a false photo identification card with the name "Mohammed Jasim AlAli" and forged an authorization form that requested VeriSign change the password. He sent the documents to VeriSign subsidiary Network Solutions and followed up with a telephone call. Based on that documentation and the phone call, VeriSign changed the password on March 25, the plea agreement stated. On March 27, after the defacement gained media attention, VeriSign suspended the Al-Jazeera account. By then, Racine had already contacted the FBI and provided the agency with evidence of what he had done, the plea agreement stated. Racine "admitted that he knew his conduct was unlawful and voluntarily provided the documents and information to the FBI to assist in its criminal investigation," the agreement said. Racine could have faced up to 25 years in prison and a fine of $500,000. However, the U.S. Attorney's office has agreed to request a much lighter sentence: three years of probation and 1,000 hours of community service. The ultimate decision on the sentence, however, resides with the judge. Racine signed the plea agreement on Thursday, said the U.S. Attorney's office. He will be arraigned in court Monday. VeriSign couldn't immediately comment on the case. - The information and commentary is Copyright 2003, by the individual author. Permission is granted to quote, reprint or redistribute provided the text is not altered, and the author and attrition.org is credited.
[ISN] Business security depends on people
Forwarded from: William Knowles <[EMAIL PROTECTED]> http://www.santacruzsentinel.com/archive/2003/June/12/biz/stories/01biz.htm By JENNIFER PITTMAN Sentinel correspondent June 12, 2003 SCOTTS VALLEY - Patents and copyrights aren't enough to safeguard a company's treasures, according to Curtis Coleman. The director of worldwide electronic security for Seagate Technology touts the need for an increasing holistic view of corporate security in a competitive world. Coleman's job is to look for trouble, preferably before it happens by scoping out potential vulnerabilities that could put his employer's business in danger. He is charged with safeguarding the international company's proprietary information, which includes technology the company develops and uses as well as data and business systems. As the main speaker today at the Santa Cruz-based Intellectual Property Society luncheon, Coleman aims to link high-tech security issues pertinent to business with the everyday security issues that companies often overlook. "Most people think corporate espionage is only in the movies and has nothing to do with the ordinary company that might just be getting formed, but what we've discovered in the last three to five years is that there's an increase in five areas in how intellectual property is getting out of companies," Coleman said. "People are very lax about security. They think they dont have to secure anything." Coleman, a former U.S. Air Force commander specializing in computer security systems, helps train law enforcement in computer forensic techniques as well as security management courses. He will cover the five problem areas, as well as corporate espionage, and the bridge between high-tech and no-tech security solutions. "Usually we talk about legal rights," said Patrick Reilly, founder and president of the Intellectual Property Society. "But there is a pragmatic issue of how physically you protect your property." Intellectual property security isn't just important for tech-development companies, Reilly said. It's important for artists and small businesses of all kinds that need to protect their competitive secrets about how they win business. While many smaller and midsize companies may not think they need to protect their intellectual property, or only need to protect information about a specific design or product, Coleman says that companies of all types and sizes are relatively ill-equipped to protect themselves. Hired investigators in a growing market for competitive intelligence can learn a lot about a company simply by collecting pieces of information that is often considered innocuous, such as how late people stay at an office or how behind in bill payments they are. The fact that engineers suddenly stop publishing reports on new technologies may indicate a startup is under way. Coleman is especially wary of friendly little phone conversations involving seemingly innocuous details about a company's routine business that reveal information a company might not normally want to share. "Most people think getting something that's high technology is going to protect them," Coleman said. "But the human firewall is key to protecting intellectual property." According to the Eighth Annual Computer Crime and Security Survey released this month by the FBI and the Computer Security Institute, theft of proprietary information caused the greatest financial loss - about $70.2 million - among 251 organizations interviewed this year. The second most expensive computer crime among survey respondents was denial of service, at $65.64 million, according to the survey. Computer viruses and insider abuse of network access were the most commonly cited forms of attack or abuse. On the brighter side, financial fraud was only about $10.18 million compared to almost $116 million reported last year, and while there were about the same amount of unauthorized computer use at organizations, resulting annual losses were down from 2002, to 2001 figures. The survey included business, government, education and legal respondents. The authors noted that most respondents said they don't report intrusions to law enforcement for fear of negative publicity and competition. According to the FBI/CSI report, only 30 percent of the respondents reported computer intrusions in the last 12 months. Scotts Valley Police Detective Sergeant Donna Lind, who heads the Santa Cruz County High Tech Crime Investigators Association, said identity theft is the largest growing crime nationwide and is costing individuals and businesses more each year. "We have had businesses where their records have been taken," Lind said. "They've obtained personal records, PIN numbers and passwords. The crooks that we're dealing with are becoming more high tech." *==* "Communications without intelligence is noise; Intelligence w
[ISN] Hacker Sentenced to Federal Prison
http://www.lasvegassun.com/sunbin/stories/tech/2003/jun/12/061200998.html June 12, 2003 SACRAMENTO, Calif. (AP) - An 18-year-old hacker who breached computers at Sandia National Laboratories and posted an anti-Israeli message on the Eglin Air Force Base Web site was sentenced Thursday to a year and a day in federal prison. Adil Yahya Zakaria Shakour also was ordered to pay $88,253 in restitution, and his computer use was restricted during the three years he will spend under supervised release after his prison term. Shakour, a Pakistani national who lives in Los Angeles, pleaded guilty in March to computer and credit card fraud charges. Shakour penetrated the Florida air base's computer server repeatedly in April and May 2002, altering the Web page to denounce the Israeli advance into Palestine. Damage to the air base computer system was estimated at $75,000, while more than $2,700 in damage was done to the Sandia Laboratories Web site in Livermore. Shakour also hacked two other computer systems, including Mathews, N.C.-based Cheaptaxforms.com, where he obtained credit card information and bought more than $7,000 worth of items. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Linux Advisory Watch - June 13th 2003
++ | LinuxSecurity.comLinux Advisory Watch | | June 13th, 2002 Volume 4, Number 23a | ++ Editors: Dave WreskiBenjamin Thomas [EMAIL PROTECTED] [EMAIL PROTECTED] Linux Advisory Watch is a comprehensive newsletter that outlines the security vulnerabilitiaes that have been announced throughout the week. It includes pointers to updated packages and descriptions of each vulnerability. This week, advisories were released for the Linux kernel, eterm, xaos, ethereal, atftp, gnocatan, nethack, slashem, cupsys, mod_php, zlib, kon2, gzip, KDE, hanterm, pptpd, cups, and lv. The distributors include Debian, Gentoo, Immunix, Mandrake, OpenPKG, RedHat, SuSE, Turbolinux, and Yellow Dog. Last week, I discussed how HIPAA should be viewed as a step in the right direction, rather than a burden for U.S. healthcare companies. I received a lot of positive feedback from readers who are happy that they now have an adequate budget to address security problems. This week, I wanted to take a look at BS7799 and ISO17799. BS7799 was first developed by the UK Department of Trade and Industry's (DTI) Commercial Computer Security Centre (CCSC) and prepared by the British Standards Institution with the goal of developing a set of security management standards that can be used across many industries. Soon after establishing the BS7799, it was submitted to the International Organization for Standardization (ISO). After several revisions, BS7799 was accepted and used as a basis for ISO17799. What is the goal of BS7799 & ISO17799? Each were created with the specific purpose of providing an established starting point for organizations to develop an information security program. Similar to HIPAA, the '7799' standards intend to help an organization maintain strict data confidentiality, integrity, and availability. The standards and recommendations are written with upper information security management as an intended audience. What makes up the standards? Each standard outlines organizations security issues, asset classification, personnel security, security policy, physical and operational security, access control, systems development, business continuity management, and standards compliance. Organizations have many reasons for wanting to comply with international standards. Although one could argue the case that '7799' is incomplete, it does accomplish its goals. These standards provide the basic building blocks for constructing an information security program in your organization. Until next time, Benjamin D. Thomas [EMAIL PROTECTED] >> FREE Apache SSL Guide from Thawte << Are you worried about your web server security? Click here to get a FREE Thawte Apache SSL Guide and find the answers to all your Apache SSL security needs. Click Command: http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=thawte23 FEATURE: Real-Time Alerting with Snort Real-time alerting is a feature of an IDS or any other monitoring application that notifies a person of an event in an acceptably short amount of time. The amount of time that is acceptable is different for every person. http://www.linuxsecurity.com/feature_stories/feature_story-144.html * Comprehensive SPAM Protection! - Guardian Digital's Secure Mail Suite is unparalleled in security, ease of management, and features. Open source technology constantly adapts to new threats. Email firewall, simplified administration, automatically updated. --> http://guardiandigital.com/cgi-bin/ad_redirect.pl?id=mailnews2 LINSECURITY.COM FEATURE: Intrusion Detection Systems: An Introduction By: Alberto Gonzalez Intrusion Detection is the process and methodology of inspecting data for malicious, inaccurate or anomalous activity. At the most basic levels there are two forms of Intrusion Detection Systems that you will encounter: Host and Network based. http://www.linuxsecurity.com/feature_stories/feature_story-143.html +-+ | Distribution: Debian | // +-+ 6/9/2003 - kernel Multiple vulnerabilities A number of vulnerabilities have been discovered in the Linux kernel. http://www.linuxsecurity.com/advisories/debian_advisory-3340.html 6/6/2003 - eterm Buffer overflow vulnerability A number of vulnerabilities have been discovered in the Linux kernel. http://www.linuxsecurity.com/advisories/debian_advisory-3341.html 6/8/2003 - xaos Improper setuid-root execution A number of vulnerabilities have been discovered in the Linux kernel. http://www.linuxsecurity.com/advisories/debian_advisory-3342.html 6/11/2
[ISN] Secunia Weekly Summary
=== The Secunia Weekly Advisory Summary 2003-06-05 - 2003-06-12 This week : 57 advisories === Secunia would like to offer you a 30 day free trial of our Vulnerability Tracking Service. View this page for more information: http://www.secunia.com/free_trial/ === 2003-06-12 Enceladus Server Suite Multiple Vulnerabilities Less critical http://www.secunia.com/advisories/9003/ -- Debian update for slashem Less critical http://www.secunia.com/advisories/9002/ 2003-06-11 Mailtraq Multiple Vulnerabilities Moderately critical http://www.secunia.com/advisories/9001/ -- Spyke's PHP Board Multiple Vulnerabilities Moderately critical http://www.secunia.com/advisories/9000/ -- FTP Voyager Long Filename Buffer Overflow Less critical http://www.secunia.com/advisories/8999/ -- SmartFTP PWD Reply and Long File List Vulnerabilities Less critical http://www.secunia.com/advisories/8998/ -- LeapFTP PASV Reply Buffer Overflow Vulnerability Less critical http://www.secunia.com/advisories/8997/ -- SGI IRIX PIOCSWATCH Denial of Service Vulnerability Not critical http://www.secunia.com/advisories/8996/ -- Immunix update for tetex Less critical http://www.secunia.com/advisories/8995/ -- SGI IRIX Broadcast Address Checking Vulnerability Less critical http://www.secunia.com/advisories/8994/ -- Mandrake update for Ghostscript Less critical http://www.secunia.com/advisories/8993/ -- Nuca WebServer Directory Traversal Vulnerability Moderately critical http://www.secunia.com/advisories/8992/ -- Linux Kernel 2.0 Information Leak Moderately critical http://www.secunia.com/advisories/8991/ -- Debian update for gzip Less critical http://www.secunia.com/advisories/8990/ -- Windows 2003 Server NIC Driver Information Disclosure Vulnerability Less critical http://www.secunia.com/advisories/8987/ -- FlashFXP Multiple Vulnerabilities Less critical http://www.secunia.com/advisories/8977/ 2003-06-10 Debian update for kernel (PowerPC) Moderately critical http://www.secunia.com/advisories/8989/ -- Debian update for kernel (i386) Moderately critical http://www.secunia.com/advisories/8988/ -- Debian update for Eterm Less critical http://www.secunia.com/advisories/8986/ -- SGI IRIX update for WebSetup / WebMin Highly critical http://www.secunia.com/advisories/8985/ -- Speak Freely Multiple Vulnerabilities Highly critical http://www.secunia.com/advisories/8984/ -- zblast Privilege Escalation Vulnerability Not critical http://www.secunia.com/advisories/8983/ -- mnoGoSearch "ul" and "tmplt" Buffer Overflow Vulnerabilities Highly critical http://www.secunia.com/advisories/8982/ -- Red Hat update for kon2 Less critical http://www.secunia.com/advisories/8981/ -- Red Hat update for tcpdump Less critical http://www.secunia.com/advisories/8980/ -- MaxWebPortal Multiple Vulnerabilities Moderately critical http://www.secunia.com/advisories/8979/ -- Mac OS X File Sharing Insecurity Less critical http://www.secunia.com/advisories/8978/ 2003-06-09 HP-UX "uucp" and "uusub" Unspecified Buffer Overflow Vulnerabilities Less critical http://www.secunia.com/advisories/8976/ -- Debian update for xaos Less critical http://www.secunia.com/advisories/8975/ -- OpenSSH IP address restriction bypass Not critical http://www.secunia.com/advisories/8974/ -- Novell iChain Authentication Buffer Overflow Vulnerability Highly critical http://www.secunia.com/advisories/8973/ -- Novell Netware HTTPSTK Denial of Service Vulnerability Moderately critical http://www.secunia.com/advisories/8972/ -- HP-UX Unspecified Denial of Service Vulnerability Less critical http://www.secunia.com/advisories/8971/ -- HP-UX Unspecified CDE Buffer Overflow Vulnerabilities Moderately critical http://www.secunia.com/advisories/8970/ -- Gentoo update for atftp Moderately critical http://www.secunia.com/advisories/8969/ -- atftp filename Buffer Overflow Moderately critical http://www.secunia.com/advisories/8968/ -- SuSE update for CUPS Less critical http://www.secunia.com/advisories/8967/ -- Mercur Mail Server IMAP Buffer Overflow Highly critical http://www.secunia.com/advisories/8966/ -- SuSE update for pptpd Highly critical http://www.secunia.com/advisories/8965/ -- ImageFolio Directory Traversal and Default Password Less critical http://www.secunia.com/advisories/8964/ 2003-06-06 Synkron.web Cross Site Scripting Less critical http://www.secunia.com/advisories/8963/ -- Immunix update for wget Less critical http://www.secunia.com/adviso
[ISN] [defaced-commentary] Known cyber-hacker charged
-- Forwarded message -- Date: Mon, 16 Jun 2003 01:25:02 -0400 (EDT) From: security curmudgeon <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: [defaced-commentary] Known cyber-hacker charged From: William Knowles http://www.cincypost.com/2003/06/13/hacker061303.html [ http://www.zone-h.org/en/search/what=Hackah+Jak/ - WK] By A. Scott Mungin Post staff reporter 06-13-2003 A Camp Dennison man known in cyber space circles as one of the nation's foremost "hacktivists" -- politically motivated computer hackers -- has been indicted by a Hamilton County grand jury. Jesse Tuttle was indicted Tuesday on six counts of unauthorized use of property and 10 counts of pandering sexually oriented material involving a minor. Tuttle, 23, known online as "Hackah Jak," is accused of trying several times to hack into the Web sites of the sheriff and Hamilton County government, and gaining access to the county Web site on May 3. When he hacked into Hamilton County's Web site and gained access to its content, he took a screen shot of the network directories found on the main computer running the county's Web site and e-mailed it to the county. The screen shot indicated the hacker having access to the Web server, the directories, and the site itself , but nothing more, said Ron Bien, lead telecommunication specialist for the Hamilton County Communication Center. The center is responsible for the county's computers and telecommunications. If convicted, Tuttle faces up to six years in prison on the unauthorized use of property counts. The 10 pandering charges are potentially far more serious, carrying total penalties of up to 80 years in prison. The grand jury alleged that after officers served a warrant and seized Tuttle's home computer, they found multiple images of child pornography that had been downloaded from the Internet. Tuttle is a "recognized computer hacker," said Hamilton County Prosecutor Mike Allen, and claims to have hacked into computer systems and networks owned by the University of Cincinnati, Hamilton County, Cincinnati police and the sheriff's office, among others. But he's best known in cyberspace for his computer attacks on Web sites of those he considered enemies of the U.S. He admitted to defacing dozens of Chinese government Web sites and shutting down several networks run by the Peoples Republic of China after the Chinese took the crew of an American spy plane into custody in the spring of 2001. "I just toyed around in there," he said in an interview with The Post earlier this year. "I moved some funds around and broke some things." After the Sept. 11, 2001, terrorist attacks on the World Trade Center and the Pentagon, Tuttle was believed to have participated in attacks on sites he and his cohorts believed to be pro-Iraqi. Tuttle, who said he tends bar and lives with his parents, said in the earlier interview that hacking is "being given a problem with many variables and seeing it to the end. Hacking is having the will to explore farther than what is known." - The information and commentary is Copyright 2003, by the individual author. Permission is granted to quote, reprint or redistribute provided the text is not altered, and the author and attrition.org is credited. The opinions expressed in this mail are not necessarily the opinion of all Attrition staff members. Commentary Archive: http://www.attrition.org/security/commentary/ The Attrition Mirror: http://www.attrition.org/mirror/attrition/ Country/TLD Statistics: http://www.attrition.org/mirror/attrition/country.html Attrition Defacement Statistics: http://www.attrition.org/mirror/attrition/stats.html Operating System Graphs: http://www.attrition.org/mirror/attrition/os-graphs.html Other Web Defacement Mailing Lists: http://www.attrition.org/security/lists.html Contacting Attrition Staff: [EMAIL PROTECTED] To subscribe to Defaced Commentary, send mail to [EMAIL PROTECTED] with "subscribe defaced-commentary" in the BODY of the mail (without quotes). To unsubscribe, include "unsubscribe defaced-commentary" in the BODY of the mail. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] India gears up to fight hackers
http://news.bbc.co.uk/1/hi/technology/2988604.stm By Habib Beary BBC reporter in Bangalore 14 June, 2003 India's first internet security centre is due to become operational in July. The centre will aim to prevent cyber attacks on key defence, business and government establishments. The project is being handled by the central information technology ministry with the help of the US-based security group, Cert. Cert is a research and development centre run by the Carnegie Mellon University that helps improve internet security. Security concerns The date for the launch of the net security centre was announced by India's Information Technology Secretary Rajiv Ratan Shah in the southern Indian city of Bangalore. Mr Shah said the government was keen to counter cyber attacks on defence, business and government organisations. Based in the capital, Delhi, the centre is expected to cost up to $20m. A second centre will be set up in Bangalore at India's leading research organisation, the Indian Institute of Science. The government is also planning to introduce a bill in parliament which will seek to protect data, to address the security concerns of companies both Indian and foreign. "We are ready with the draft of the act which will help in building confidence of customers to outsource work from here", Mr Shah said in an address to a conference organised by India's software body Nasscom. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Recent Gartner Report on IDS/IPS
Forwarded from: Gary Golomb <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], [EMAIL PROTECTED] Ok, this is going to be long. Also, this email is being written entirely on my own impetus and **definitely does not** reflect the views of my employer. (In fact, I'll be surprised if I make it through this one without any bruises.) Gartner, Inc. has recently released a document authored by Richard Stiennon entitled, "Intrusion Detection Is Dead - Long Live Intrusion Prevention." (So I'm guessing we don't need to cover what that document is about.) Gartner is self-described as, "For 20 years, Gartner's Research & Advisory services have been recognized as the definitive source for objective technology thought leadership." Ok, fair enough. I'm a fair person and everyone makes mistakes. Unfortunately, this is not Gartner's first mistake along these lines. Here's a quote from paper now a year and a half old (also from Gartner): "Intrusion Prevention Will Replace Intrusion Detection. Enterprises should delay new large investments in intrusion detection systems -- which have failed to provide additional security -- until intrusion prevention systems emerge that provide a stronger defense against 'cyberattacks.'" No, this is not the first time Gartner has displayed such a grotesque misunderstanding behind detecting and defending against *real* threats, but this is definitely the most horrible. So, for all those who take statements like the above seriously, let's define WHY people use Intrusion Detection technologies in the first place. Intrusion Detections systems are used for one reason. Its your last chance to be notified about a potential break-in; a virtual safety net. Once an organization has invested massive amounts of time, money, and resources into setting up "PROTECTIVE" technologies such as (but not limited to) firewalls, encryption, authentication, proxies, gateways, PKI, VPN, access control, virus detection/removal, etc... The IDS serves the single purpose of sitting back and watching over everything to see if people are still getting though. And here's a curveball for you: After all the protective technologies just described, attackers (both automatic like worms/viruses and live people) were/are STILL getting through! Whether it's because of vulnerabilities in network designs, application vulnerabilities, or unknowingly misconfigured devices, they do get through. And this is why IDS's were invented... The main difference between an IDS and other security devices is the fact that it's out-of-band, or passive in nature. It passively watches all traffic looking for SIGNS of attacks, compromise, or other misuse. The key benefit to being out-of-band is that you have the ability to flag traffic that looks even the slightest bit "suspicious." If you have an IDS that is telling you that too much is "suspicious," then tune it! What's suspicious in one environment might not be in another. Vendors try to compensate as best as possible, but only YOU know YOUR environment the best! Once it is flagged, it is usually logged and followed up by automated processing, or people-based responses. So, now that we're on relatively the same page when it comes to ID, let's look at Gartner's reasons for stating that we don't need this technology anymore. --- Statement #1 "Contrary to the philosophy that it is impossible to protect a network from all of the attacks leveled against it..." --- Ok, this one is more comical than anything else. It's the first sentence in the document. By starting off by telling us that it *IS* indeed possible to protect a network from ALL attacks leveled against it, I had to chuckle. It also set the stage for the rest of the document. --- Statement #2 "The 'demilitarized zone' (DMZ) architecture has been punctured by many exceptions to security policies. It poses a threat to mission-critical services." --- Since DMZ's [apparently] pose a threat to critical services, Richard proposes (what he dubs as) a new nomenclature and architecture for replacing the DMZ. The new name is: The Transition Zone. (TTZ?) The way TTZ works is by taking your public resources (like a firewall, mail serer, or whatnot) and placing it on a network that is logically between the Internet and your internal network. This middle ground is separated from the Internet via a firewall or gateway that allows limited access to the public resources. There is a second firewall that separates the TTZ from the internal network which I presume is more restrictive. Interestingly enough, that's what the rest of the world calls a "DMZ." I saw no difference between the proposed TTZ and how most organizations that I have seen implement their DMZs. --- Statement #3 Regarding another problem with hosts in the DMZ: "Because of the constant exposure of these assets to the outside world, they must be protected by a greater investment in security devices, rather than treated as untrusted, even sacrificial hosts." --- I just called a couple
[ISN] New Breed of Trojan Raises Security Concerns
http://www.eweek.com/article2/0,3959,1126743,00.asp By Dennis Fisher June 13, 2003 Security researchers believe they have identified a new breed of Trojan horse that is infecting machines on the Internet, possibly in preparation for a larger coordinated attack. However, experts have been unable to pin down many of the details of the program's behavior and are unsure how many machines might be compromised by the Trojan. The program scans random IP addresses and sends a probe in the form of a TCP SYN request with a window size that is always 55808. Infected hosts listen promiscuously for packets with certain identifying characteristics, including that specific window size. Experts believe that other fields within the packet's header probably give the infected host information on the IP address of the controlling host and what port to contact the host on. The Trojan is also capable of spoofing the source IP addresses for the packets it sends, making it much more difficult for researchers to track infected hosts. The program appears to scan IP addresses at a rate that enables it to scan about 90 percent of the IP addresses on the Internet in 24 hours, according to officials at Lancope Inc., an Atlanta-based security vendor. The company has seen the new Trojan on its own honeynet and has also observed it on the network at a university. The company said it was alerted to the existence of the Trojan by an employee at a defense contractor and later notified both the FBI and the CERT Coordination Center. A spokesman for the FBI confirmed that the bureau was aware of the issue, but said there was little it could do unless there's an incident. "Until something happens, the FBI is on the sidelines on this one," said Bill Murray, spokesman for the FBI in Washington. "There's not really anything to investigate." Unlike typical Trojans, the new program does not have a controller e-mail address written into the source code. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Do no harm: HIPAA's role in preventing ID theft
http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,82051,00.html By Marne Gordan JUNE 12, 2003 Computerworld With the Health Insurance Portability and Accountability Act (HIPAA) privacy deadline recently passed, most health care providers and plan companies are preparing to implement the final rule for security. While many of these organizations are focused on the lack of budgetary and staff resources necessary to fulfill another unfunded federal mandate, most have lost sight of why this level of protection is necessary. As organizations (known in the legal jargon as "covered entities") begin their risk assessments and risk management planning, it's important to remember one of the key principles of the regulations, and that is patient protection. The standard clearly states that the organization must ensure the confidentiality, integrity and availability of protected health information (PHI) and safeguard it from threats, hazards and unauthorized disclosure, but the act neglects to underscore why it's important to do so. PHI is composed of the patient's most personal information, which includes most health records and data files that typically include name, address, Social Security number and a combination of the following: * Insurance information * Payment information * Past and present medical condition(s) * Past and present treatments * A variety of other individually identifiable health or personal information Although not expressly stated in the privacy or security rules, HIPAA establishes that PHI is primarily the patient's personal property and not a corporate asset of the regulated organizations. Corporations are therefore required by law to take precautions to protect the privacy of patient information whenever it's used, from back-office transactions to personal patient interactions. Where's the harm? Previously, industry experts have focused on harm at the individual level, in other words, the PHI of a single patient being compromised and made public to the specific detriment of that person. For example, in 1998, an Atlanta truck driver lost his job after his employer learned from his insurance company that he had sought treatment for a drinking problem. In another example, an employee was automatically enrolled in a mandatory "depression program" by her employer, Motorola Inc., after her prescription drugs management company reported that she was taking antidepressants. These cases tend to generate sympathy from the general public, but it's frequently an uphill battle for a victim of such exposure to prove substantial harm in the courts and trace the source of that exposure directly back to the health care organization. Harm to the individual can range from simple embarrassment all the way to financial hardship. The primary source of harm to the individual actually exists at the aggregate level, in databases that contain the files of hundreds or thousands of patients. These databases are commonly held by hospitals, midsize and large health plans, billing organizations, data warehouses, records storage facilities and even some application service providers. Although some industry experts tend to disagree, these covered entities are appealing targets for identity theft, the fastest growing crime in the U.S. today. While not as obvious or attractive a target as financial services or e-commerce companies, these covered entities represent a significant opportunity for enterprising thieves, by virtue of the data that they process and store. For example, if a large biller's database were hacked and the PHI stolen, criminals could have access to insurance information, credit card information and the Rosetta stone for identity thieves, Social Security numbers. If such a case were to come to court, a plaintiff's attorney could easily prove to a judge and jury that substantial harm was inflicted upon the individuals whose identities were stolen, and the organization's security controls at the time of the breach would definitely be called into question. Others find covered entities equally attractive, but for different reasons. Unlike identity theft, where financial gain is the motive, the fact that HIPAA privacy and security standards are seen as a challenge to some hackers makes the the health care industry a target. These are the "altruistic" independent hackers and hacker groups, such as Deceptive Duo, S4t4n1c_S0uls and The Bugz, who feel it's their sacred duty to exploit and publicly expose weaknesses in the infrastructure of various industries, or deficiencies in federal security mandates. This was precisely the nature of the hack at the University of Washington Medical Center in Seattle in December 2000 (see story). A hacker going by the name "Kane" allegedly gained access to the medical center's network through the affiliated university network and was able to steal 4,000 patient records containing PHI including patients' dates of birth, Social
[ISN] DOD moving to IPv6
http://www.fcw.com/fcw/articles/2003/0609/web-dodip-06-13-03.asp By Dan Caterinicchia June 13, 2003 Beginning in October, all Defense Department assets acquired for the Global Information Grid must be compatible with the next-generation Internet Protocol Version 6 (IPv6), according to DOD's top information technology official. The GIG is a massive DOD network designed to connect warfighters anywhere in the world. Moving to IPv6 will help the department achieve its goal of network-centric warfare and operations by the end of the decade, said John Stenbit, assistant secretary of Defense for networks and information integration. Stenbit signed a policy memorandum June 9 that outlines DOD's transition to the new protocol by 2008. That year was chosen because most experts estimate widespread commercial adoption will take place from 2005 to 2007, he said. "We want to make it clear to our programs' major development activities that come on line in the 2008-2010 timeframe that the IPv6 standard, as it evolves, will be the department's standard," he said during a Pentagon press briefing today. Stenbit, who also serves as DOD chief information officer, said the current protocol, IPv4, has been in use for almost 30 years. He noted that its fundamental limitations hinder network-centric operations, which link together disparate portions of the battlefield and increase the lethality of U.S. forces by providing situational awareness and knowledge superiority. Stenbit said IPv6 is designed to meet future commercial and DOD requirements, including: * Improved end-to-end security, which is critical for DOD intranets that contain large amounts of classified information and traffic. * Improved quality of service through work-arounds that will eliminate packet drops and instability on video teleconferences and voice-over-IP systems. * Facilitation of mobile communications. * Better system management. * Expanded IP address space, which is a major problem in Europe. DOD is in the process of selecting three large programs to serve as early adopters of the new protocol, and the "results of those three experiments will [determine] if we pull the switch in 2008," he said. One pilot program per year will launch between 2005 and 2007 and they will be large enough, but also controlled enough, so that DOD can properly analyze results for possible enterprise use, Stenbit said. He added that either the Secret Internet Protocol Router Network (SIPRNET) or the Non-Classified Internet Protocol Router Network (NIPRNET) might be one of the programs switched over to IPv6, and that the Navy Marine Corps Intranet also is being considered. Definitive choices will be made within 30 days. "NMCI has a large population of users. . .and when they get to [a suite] of standard applications, there's a technology refresh in the contract in a couple of years," he said, noting that could be the time to make a switch to IPv6. Vendors, including Cisco Systems Inc., already are producing equipment that is compatible with both IPv4 and IPv6, and as competition heats up in the next few years, costs should level out, Stenbit said. However, routers, software and other tools that run on both standards will probably perform slower, prompting Stenbit to note, "We believe that to be a real cost, but that doesn't keep me awake at night." A draft DOD IPv6 transition plan will be released within one month and completion of the plan is expected by early September, according to Stenbit's memo. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
RE: [ISN] This computer security column is banned in Canada
Forwarded from: Tony | AVIEN / EWS <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] [Last post on this topic... - WK] <> I certainly don't disagree that your example scenarios are a valid security measure. I think the examples of using non-standard web server applications or non-standard port assignments are valid and useful in securing an environment. Where I would differ with you I guess is on the definition of security through obscurity- or at least for the purposes of this discussion. In a way all of security IS obscurity. You hide behind a firewall, strip header information from packets, NAT your source IP address, encrypt your communications or use steganography to hide the existence of information altogether. Almost every measure of security is designed to somehow "obscure" your information so that only those you authorize are aware of its existence or can gain access to it. That said, in my opinion your point is apples and oranges to the "security through obscurity" debate. The security through obscurity mantra *I* am referring to is related to a vendor being aware that a vulnerability exists and choosing to ignore that fact. I am talking about a vendor operating on the philosophy that if they just don't publicly announce a flaw or vulnerability that it will remain secret and therefore won't be exploited. My point is that nine times out of ten underground knows of a vulnerability before the vendors do or will eventually discover it somehow. If the vendor sits on knowledge of a flaw thinking that will keep their product secure they are mistaken. Instead, they are leaving their customers vulnerable to attacks that they could prevent but choose not to. For a good example I would refer to the Unpatched IE Security Holes web site (http://www.pivx.com/larholm/unpatched/). Microsoft is obviously aware that these flaws exist since they can visit this web site just like anyone else. Companies have abused and misused the DMCA to threaten security researchers and prevent them from disclosing or sharing their findings because they would rather pretend the vulnerability doesn't exist and hope it never gets exploited rather than developing a patch and sharing the information with the public and their customers. I see your points and I think they are valid, but it is a semantic debate. Your definition and illustrations of how to use obscurity to help secure your computer or network are entirely separate from the intent of the Security Through Obscurity mantra being touted. Read the following articles- they don't talk about not attempting to hide or obscure your actions or implementing security measures to prevent attack- they talk about vendors not disclosing known vulnerabilities in hopes they won't have to bother issuing a patch. http://slashdot.org/features/980720/0819202.shtml http://www.vnunet.com/Analysis/1126488 http://www.nightfallsecurity.com/whitepapers/obscurityeu.html http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?security+through+obscurity Tony Bradley, CISSP, MCSE2k, MCSA, MCP, A+ About.com Guide for Internet / Network Security http://netsecurity.about.com Click here to sign up for the weekly Internet / Network Security Newsletter: NetSecurity Newsletter - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.