******* Vendor Corner ******* Introducing Entrust/TruePass(tm), the new "zero footprint" Web security and privacy solution from Entrust Technologies that can help accelerate the deployment of B2B and B2C transactions over the Internet. Dial in on May 16th to find out how Entrust/TruePass can make the deployment of trusted online financial services using digital signatures fast and easy. Or dial in on May 25th to learn how Entrust/TruePass can be used to secure and add trust to your B2B transactions. For more information visit http://www.entrust.com/events/telebriefings.htm Entrust Technologies is the leader in bringing trust to e-business relationships. We make it safe to do business over the Internet ******* What's new with SecurityPortal.com ******* The Joys of Incident Handling Response Process When you are given a new position of responsibility, especially for handling security breaches or incidents, it is always prudent to learn some aspects of the job from your predecessor, if possible. A former boss at another company left his position when things went badly following the recent "Love Bug" Internet worm and his company was severely impacted by it. When I asked what happened, he related a story about when his position was a new assignment and he was given three envelopes from his predecessor who told him that as difficulties arise, consult the envelopes in numeric sequence whenever you can't solve the problem otherwise. So my former boss accepted the envelopes and placed them in his office safe until needed. About six months later, a major problem occurred and when unable to resolve the issue, he decided to open the first envelope. It read: "Well, I have been gone for some time but probably not very long, so blame the problem on your predecessor." My former boss tried it and management accepted that until everything was fully resolved. Another six months went by and another crisis occurred. Reluctantly, my former boss had no choice but to open the second envelope. In it, the message read: "I have been gone too long now to blame the problem on your predecessor, so explain that your subordinates did not fully understand and implement your instructions." My former boss tried it and everything was calm again. When the "Love Bug" hit his company, my former boss found himself sitting with the third and final envelope in his hands. Slowly he opened it and read: "Prepare three envelopes." Read the full story here <http://securityportal.com/cover/coverstory20000515.html> ******* Vendor Corner ******* ============================================================ Sponsored by VeriSign - The Internet Trust Company ============================================================ Which security solution is right for your Web site? Before you decide, request your FREE guide, "Securing Your Web Site For Business," to learn the facts. In the guide, find solutions for: * Encrypting online transactions * Securing corporate intranets * Authenticating your Web site Get your FREE guide today at: http://www.verisign.com/cgi-bin/go.cgi?a=n042401690003000 ============================================================ ******* Top News ******* May 15, 2000 Welcome to SecurityPortal.com - The focal point for security on the Net Recent postings in our top news <http://www.securityportal.com/topnews> : May 15, 2000 Weekly Solaris Security Roundup <http://securityportal.com/topnews/weekly/solaris20000515.html> - This article is the first in a weekly series on Sun Security. This issue includes a roundup of security issues over the last year and a list of relevant security resources. Three weakness were discovered and discussed on BugTraq in the last week of April, no patches are yet available from Sun. These weaknesses concern: Xsun Buffer Overflow, lp -d option Buffer Overflow, lpstat -r option Buffer Overflow. Need to find some Sun documention? Check out Tip of the Week. Weekly Microsoft Security Roundup <http://securityportal.com/topnews/weekly/microsoft20000515.html> - Three MS Security Bulletins: Undelimited .HTR Request, File Fragment Reading via .HTR, Malformed Extension Data in URL, Office 2000 UA Control. NTBugtraq: IE cookies security, Removal of WSCRIPT.EXE, and Profile Overwrite Delete Due to Registry Size Limit. Tip of the week: Windows 2000 Default Security Weekly Linux Security Roundup <http://securityportal.com/topnews/weekly/linux20000515.html> - Some problems were found in various Linux napster clones, and Bugzilla has a rather brain dead security hole. Postfix announced a new snapshot with SMTP AUTH support. No vendor advisories yet this week Weekly Check Point Security Roundup <http://securityportal.com/topnews/weekly/checkpoint20000515.html> - Check Point expands it's relationship with IBM. CP again selected as official security co-sponsor of the InteropNet Event Network. Mailing review includes: Two Connections Through One Firewall, Blocking Mime Attachments, Installing SecuRemoteT 4118 on Windows 2000, and Cleaning up a Hacked NT Webserver. Tip of the Week includes information on BigBrother, a very slick distributed system and network monitoring tool for NIX and NT Weekly Axent Security Roundup <http://securityportal.com/topnews/weekly/axent20000515.html> - Axent released Defender 4.0, Mailing list review includes: The Raptor List Sponsors a Spontaneous Product Bake-Off, Redirecting SMTPD. Tips on how to deal with autoexecution of attachments in Outlook, Outlook Express, and Eudora Pro May 13, 2000 IDG: New DDoS tools being developed <http://www.idg.net/ic_176664_2058_1-1474.html>- A new distributed denial-of-service tool found recently in computers at several universities may be able to avoid defenses put up by Web sites after a rash of DDoS attacks in February temporarily shut down eBay Inc., Amazon.com Inc. and others, an executive with business software vendor Computer Associates International Inc. said Cert: Advisory Netscape Navigator Improperly Validates SSL Sessions <http://www.cert.org/advisories/CA-2000-05.html> - The ACROS Security Team of Slovenia has discovered a flaw in the way Netscape Navigator validates SSL sessions. The text of the advisory from ACROS is included below. It includes information CERT/CC would not ordinarily publish, including specific site names and exploit information. However, because it is already public, we are including it here as part of the complete text provided by ACROS May 12, 2000 LinuxMall: Stoic Distro for the Paranoid <http://www.linuxmall.com/news/?1,131> - Finally, a Linux distribution geared at easing the security-conscious minds of such self-professed paranoiacs as G. Gordon Liddy has hit the streets. Nexus developers are taking names, ranks and numbers. According to its makers, Nexus is a free, portable and secure Linux distribution. "Its target audience is the enterprise application, the paranoid system administrator and other areas where security is not a `nice-to-have' additional feature, but an essential requirement," claimed anonymous Nexus developers in a recent announcement. FCW: VA's "user's manual for hackers" <http://www.fcw.com/fcw/articles/2000/0508/web-va-05-12-00.asp> - Hackers could exploit at least 18 vulnerable spots in computer systems at the Department of Veterans Affairs, according to an internal VA memo Linux.com: Why Open-Source Software Matters to End Users <http://www.linux.com/news/articles.phtml?sid=93&aid=8664> - Open-source software (OSS) is important to end-users since it is a critical enabler of the Internet, as much of the code that drives the Internet derives from OSS. In fact, all Internet, intranet, and extranet applications depend on OSS, since many servers on the Internet are built using at least some OSS for operating system, web server, mail, and other Internet infrastructure functions. While it is possible to construct the Internet and web applications completely with proprietary software, OSS counters the proprietary grip of vendors who lock up data and lock in obsolescence. OSS ensures that the web remains open and based on open standards. Cisco Field Notice: IOS Software Release 12.1(1)E2 <http://www.cisco.com/warp/public/770/fn12256.shtml>- this new version of the router OS includes several bug fixes, including some encryption related issues. Link to advisory ZDNet: Bug hunters find cookie hole in IE <http://www.zdnet.com/zdnn/stories/news/0,4586,2568274,00.html?chkpt=zdhpnew s01> - Personal information can be had if the victim uses Internet Explorer and clicks on a disguised string of JavaScript code. MS says a patch is coming Silicon: Corporates accused of negligent security policies <http://www.silicon.com/public/door?REQUNIQ=958090576&6004REQEVENT=&REQINT1= 37445&REQSTR1=newsnow> - The recent spate of high profile virus attacks is due to companies not making security a top priority, according to Chris Royle, director of security specialist Objectronix. ElectronicNews: Toshiba develops photo-detector able to secure optical communications <http://www.electronicnews.com/enews/news/3413-132NewsDetail.asp> - Toshiba Research Europe Ltd. (TREL) has developed a new type of very sensitive photo-detector the company said is capable of detecting the faintest possible optical signals. The device responds to individual photons, the smallest indivisible units (quantas) of light, TREL said. The Cambridge, England-based subsidiary of Toshiba Corp. unveiled the photon detector this week at the Conference on Lasers and Eltro-Optics in San Francisco. CMPnet: Mazu Networks Aims To Stop Hackers' Net Attacks <http://www.crn.com/dailies/digest/breakingnews.asp?ArticleID=16559> - Mazu Networks, a start-up that was a runner-up in the prestigious Massachusetts Institute of Technology entrepreneurship competition, aims to put an end to the hacker attacks that resulted in highly publicized outages earlier this year for Internet high-flyers Yahoo Inc. and Buy.com Inc., among others. ZDNet: Next viruses will be silent killers <http://www.zdnet.com/zdnn/stories/news/0,4586,2567745,00.html?chkpt=zdhpnew s01> - 'Love' bug is child's play. Developers demonstrate a cross-platform virus that disappears before it can be stopped May 11, 2000 InfoWorld: Strategies for fighting computer crime shared at security summit <http://www.infoworld.com/articles/hn/xml/00/05/10/000510hnconferencesecure. xml>- ALMOST 100 CORPORATE security managers met with politicians and law enforcement representatives Tuesday in Menlo Park, Calif., to refine strategies for fighting computer crime. Billed as the "Internet Defense Summit," the meeting featured an address by Sen. Fred Thompson, R- Tenn., who announced a bill calling for annual reviews of government security practices. Wired: Worm Suspect: I Didn�t Mean It <http://www.wired.com/news/technology/0,1282,36270,00.html> - A Filipino computer school dropout under investigation over the "Love Bug" virus may have mistakenly transmitted the crippling cyber-worm but did not mean any harm, his lawyer said on Thursday. Onel de Guzman, a 24-year-old former student of AMA Computer College (AMACC) in the Philippine capital, held a news conference with his lawyer on Thursday after investigators summoned him and his sister Irene for questioning over the virus. TheRegister: US Reps question anti-virus companies� integrity <http://www.theregister.co.uk/000511-000024.html> - US Congressman Anthony Weiner (Democrat, New York) blasted the anti-virus software industry for being humiliated by the Love Bug in a five-minute tirade during House Science Subcommittee hearings this week. "There�s an industry here that�s come up to deal with viruses, and this looks to me like a ground-ball virus. Frankly, this is an utter, abject failure of an industry that has sprung up to deal with these types of things," Weiner told anti-virus outfit McAfee�s Sandra England. GlobeTechnology: G8 set to tackle cyber-crime <http://www.globetechnology.com/archive/gam/News/20000511/TWBREA.html> - >From credit card fraud to cyber-stalking and digital piracy, the Internet is providing unexpected possibilities for wrong-doing to a subterranean population that includes bored teenagers, professional crooks and secret agents. Cybercrime experts from the Group of Eight most industrialized nations are meeting in Paris next week to discuss ways of fighting the "virtual" crime wave. FairfaxIT: Computer virus hit at least 14 US federal agencies <http://www.it.fairfax.com.au/breaking/20000511/A54751-2000May11.html> - AT LEAST 14 federal agencies were penetrated last week by the so-called love bug computer virus, a United States Government technology expert testified yesterday. "Virtually all of the largest federal agencies have significant computer security weaknesses that place critical federal operations and assets at risk to computer-based attacks,�� said Keith Rhodes, director of the Office of Computer and Information Technology Assessment in Congress� General Accounting Office. FoxNews: Maine Public Broadcasting Member List Hacked <http://www.foxnews.com/vtech/051100/mpbhack.sml> - A hacker broke into the computer file that holds the names, phone numbers, addresses and credit card numbers of Maine Public Broadcasting Corp.�s 21,000 members. Station officials said they cannot yet tell if any of the information was downloaded or even looked at, and it is too early to determine if anything illegal has been done with the information. LinuxPlanet: The Real Lessons of ILOVEYOU <http://www.linuxplanet.com/linuxplanet/opinions/1818/1/> - The eruption of rogue e-mail attachments last week ought to have taught the exponentially growing online community a great deal, but it looks as if the lessons were mostly missed. If one turned on the television or radio, even the television channel half-owned by the leading software maker, one heard that a "virus" written by a "hacker" had brought the online world to its knees and raised new questions "about the security of e-commerce." Well. It wasn�t a virus, it was a Visual Basic script. It wasn�t written by a hacker, it was written by what in the computer security world is known as a "script kiddie." And it had nothing whatsoever to do with e-commerce, save for the fact that no doubt some people were busy cleaning up their machines instead of browsing eBay. ZDNet: Another destructive worm - South Park in German <http://www.zdnet.com/zdnn/stories/news/0,4586,2567563,00.html?chkpt=zdhpnew s01> - A new computer bug dubbed SouthPark that matches in destructive power what its namesake TV series boasts in tastelessness is making the e-mail rounds, a computer security company said on Wednesday Standard: New E-mail Virus May Hurt Worse Than 'Love' <http://www.thestandard.com/article/display/0,1151,14993,00.html> - As detectives in the Philippines continue their investigation of the "ILoveYou" virus and as corporations worldwide scramble to clean up its aftermath, security experts in the U.S. are targeting a new, potentially more destructive e-mail virus that doesn�t even require its attachment to be opened before wreaking havoc The Evolution of Malicious Agents, Part 2 of 2 <http://securityportal.com/research/virus/maliciousagents2of2.html> - This paper examines the evolution of malicious agents by analyzing features and limitations of popular viruses, worms, and trojans, detailing the possibility of a new breed of malicious agents currently being developed on the Internet CNN: Hotmail, Yahoo scramble after email security flaws exposed <http://cnn.com/2000/TECH/computing/05/10/email.security/index.html> - An Internet civil liberties organization said it discovered two serious security problems that would allow hackers considerable access to user accounts of several popular free Web-based email services like Hotmail and Yahoo! ComputerWorld: 'Love Bug' exposed inadequate warning systems, experts tell Congress <http://www.computerworld.com/home/print.nsf/(frames)/000510DDD6?OpenDocumen t&~f>- The "Love Bug" was widely successful in infecting computer systems in North America and in exposing -- once again -- the ineffectiveness of government alerting systems in issuing warnings about such threats. That�s what a U.S. House Committee on Science subcommittee heard today from a panel of experts about the virus or worm, which arrived virtually everywhere earlier this month May 10, 2000 LinuxNews: Pow-Wow With Apache's Hackers <http://www.linuxnews.com/news/?1,123> - Can you be scalped nicely? Apache seems to think being red in the face beats being red in the accounting department after an embarrassing encounter with some clever and well-meaning hackers. With the IT world still bobbing confusedly in the wake of the Microsoft Outlook love bug, the Open Source Internet Servicer, which currently runs over 60% of the Web sites on the Internet, was targeted by hackers Friday. The intruders, who declined to damage or disrupt the site, instead marked their trail with a modified Microsoft logo. gazette.com: Teen accused of raiding city Web site <http://www.gazette.com/daily/top3.html> - A 17-year-old Colorado Springs boy was charged in juvenile court Tuesday with one count each of computer crime and criminal mischief after he broke into the city�s Web site in October and replaced it with the message, "i love this city ytcracker 9d9 palmer high." EcommerceTimes: U.S. Unveils Net Fraud Center <http://www.ecommercetimes.com/news/articles2000/000509-3.shtml> - The U.S. Department of Justice (DOJ), FBI, and the National White Collar Crime Center launched the Internet Fraud Complaint Center (IFCC) Monday to give consumers and businesses a place online to report incidents of online fraud. ZDNet: Security flaw in Hotmail <http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2566838,00.html?chkpt=p 1bn> - A new security flaw has been discovered in Microsoft�s Hotmail program that could give a hacker access to a user�s account. The exploit uses an HTML attachment to give a hacker access to the account FCW: Senate sheds light on State security problems <http://www.fcw.com/fcw/articles/2000/0508/web-state-05-10-00.asp> - The Senate has proposed sweeping information security reforms throughout the State Department's intelligence and counterintelligence organizations to stem the growing tide of information security breaches at the department MSNBC: Virus may have been thesis projects <http://www.msnbc.com/msn/403350.asp> - Two students at a Philippine computer college wrote software programs that may have been combined to make the "ILOVEYOU" virus that disabled e-mail systems worldwide, school officials said today. "We are not saying they are the culprits," said an official at the AMA Computer College in Manila. But he characterized the information, which has been shared with investigators, as "potential leads for further confirmation." PC World: Gates - Get Smart About Security <http://www.pcworld.com/pcwtoday/article/0,1510,16655,00.html>- "Over 99 percent of security problems are related to the fact that it is difficult to administer (security policy) specifications," Gates said. Most security mistakes revolve around password and policy implementation, he adds. "The answer is moving away from passwords and other ideas." (OK, explain to me again how smart cards would have prevented LoveLetter, ExploreZip, Melissa?) NW Fusion: Network manager destroyed his own network <http://www.nwfusion.com/news/2000/0509guilty.html> - The network administrator was accused of setting a software time bomb that crippled his former employer�s manufacturing capabilities and cost them more than $12 million in damages, in what is the first federal criminal prosecution of computer sabotage (ok, so maybe guys with names like Mafiaboy and Coolio aren�t the only ones to be worried about) ZDNet: Internet Defense Summit - Ban the Internet bad guys! <http://www.zdnet.com/zdnn/stories/news/0,4586,2566543,00.html> - Security experts convened at the Defense Summit to commiserate on the dire straits of cybersecurity, and there was plenty of blame to go around May 9, 2000 Security Portal: New Look, New Partner, New Corporate Services - Same Old Mission <http://securityportal.com/topnews/newpartner20000509.html> - Running a business in Internet time rarely gives one the ability to pause and reflect on some of the milestones of days gone by - whether personal or within the industry. However, the occasion of our new site launch provides a good opportunity to give our readership a report from the bridge and let you know what to expect next. It is exciting to think that in less than two years Security Portal has gone from a good idea spawned by a couple of guys - immediate security news and analysis - to a company now poised to play a leading role in web-enabled Information Security Services. A new market we call "Managed Security Portals" Byte: Firewalls For Home Users Are Essential <http://www.byte.com/column/BYT20000501S0004> - It used to be that folks with PCs didn�t have to worry much about security. Apart from the rare LAN in an office environment, most machines were solitary, perhaps linked together via Sneakernet. The only thing you really had to worry about from a BBS was accidentally downloading an annoying (but usually harmless) "ASCII bomb" that might lock your machine up and force you to reboot, but that was about it. As long as you controlled physical access to your machine, you were safe. SunWorld: Hacker's toolchest <http://www.sunworld.com/sunworldonline/swol-05-2000/swol-05-security.html>- There are hackers capable of penetrating almost any system. The good ones get paid for it. The bad ones pay for it. What is a hacker�s approach to penetration testing? What tools do they use? In this column, Carole Fennelly asks noted security specialists Brian Martin, Mark Abene, and Rain Forest Puppy for their perspective. FCW: Microsoft, Netscape battle over browser hole <http://www.fcw.com/fcw/articles/2000/0508/web-hole-05-09-00.asp> - Microsoft Corp. and Netscape Communications Corp. are at odds over who is to blame for a browser-related security hole that could make Web sites vulnerable to attack from hackers ZDNet: 'Love Bug' suspect released <http://www.zdnet.com/zdnn/stories/news/0,4586,2565700,00.html> - Philippine prosecutors said on Tuesday police did not have enough evidence to hold a man suspected of being a creator of the crippling "Love Bug" computer virus and ordered him set free Internet Security at a Glance <http://www.securityportal.com/research/security101/internetsaag.html> - A Security 101 article aimed at those fairly new to security: Internet Security is an expansive topic. After the many dozens of books written on the subject, an attempt to squeeze even the essentials into an online article is a real challenge. Since I can�t discuss every element of Internet Security, I�ve chosen a number of practical Internet Security subjects - the very most useful ones ZDNetUK: ADSL and the opportunistic hackers <http://www.zdnet.co.uk/news/2000/18/ns-15158.html> - ADSL may mean faster Net access and �always-on� connection, but there are dangers CNN: Internet provider says Caller ID foiled 'Love Bug' author <http://cnn.com/2000/TECH/computing/05/08/ilove.you.05/index.html> - Philippine investigators on Monday were questioning a man whose apartment in Manila�s lower middle-class Pandacan neighborhood they suspect to be the source of the "ILOVEYOU" virus. The investigators searched the apartment after linking it to the virus through a rather basic invention: Caller ID ZDNet: Did security firms fail their big test? <http://www.zdnet.com/zdnn/stories/news/0,4586,2565115,00.html> - Anti-virus sites got overwhelmed. New virus variants poked holes in updated virus scanners. So much for cybersecurity? The Evolution of Malicious Agents - Part 1 of 2 <http://securityportal.com/research/virus/maliciousagents1of2.html> - This paper examines the evolution of malicious agents by analyzing features and limitations of popular viruses, worms, and trojans, detailing the possibility of a new breed of malicious agents currently being developed on the Internet May 8, 2000 InfoWorld: Love Bug virus costs expected to reach $10 billion <http://www.infoworld.com/articles/hn/xml/00/05/08/000508hnlovehurts.xml> - A RESEARCH COMPANY tracking the global effects of the �I Love You�, or Love Bug, virus, expects economic damages to reach at least $10 billion before the virus and its variants are eradicated NetworkWorld: The enemy within <http://www.networkworld.com/research/2000/0508feat.html> - Teen crackers get the ink, but the real threat to your network could be sitting in the next cubicle BBC: Computer crime plan �bad for business� <http://news.bbc.co.uk/hi/english/sci/tech/newsid_740000/740766.stm> - Controversial proposals to control the interception of e-mail and other communications return to the UK Parliament on Monday, having previously been described appalling and objectionable ZDNet: Police arrest ILOVEYOU suspect <http://www.zdnet.com/zdnn/stories/news/0,4586,2564627,00.html> - Taken into custody was suspected author of the virus, Romel Lamores, 30 years old, in Pandacan, Manila. The suspect is an employee of China Bank. A young woman said to be his girlfriend will turn herself in later Monday, authorities said ******* What's new with SecurityPortal.com ******* Why We're Doomed to Failure I'm in a strange mood and was thinking about various things, one of which was the quantity of information on the weekly Linux security digest. I was doing the BSD digest a few days ago, and it struck me, OpenBSD has far fewer problems. To be fair they are not 100% free of security problems, but they are closer then most to that goal. I think the following quote sums up a lot of this article: "Security is a process, not a solution" Even if we design a process that is fault tolerant, very robust, and easy to implement, we are still doomed to failure in almost all cases. One of the most popular ways to break into computer systems is through the buffer overflow. This is usually due to a fault in the way the software handles user input, network traffic, command line arguments, and so on, in programs that run as root (setuid programs, or network daemons that do not drop privileges properly). The most obvious solution to this problem would be to audit the software and remove any potential problems, OpenBSD took this route, and it has worked relatively well. However, it is not a panecea. The main drawback of this method is the stupendous amount of effort needed. It would be utterly infeasible to audit Windows 2000 to the same degree OpenBSD has been, and because of this several other problems emerge. Read the full story at <http://securityportal.com/closet/closet20000510.html> *******New From SecurityPR.com******** F-Secure Distributed Firewall Defends Mobile Workforce Against Network Intruders <http://www.europe.f-secure.com/news/2000/news_2000050901.html> - F-Secure Distributed Firewall protects mobile laptops, enterprise workstations and servers against network attacks. The product also represents an important new defense in the fight against "Distributed Denial of Service" attacks. Personal Firewalls and Intrusion Detection: <http://securityportal.com/pr/pr.20000510120303.html> - InfoExpress Extends Enterprise Security to the Increasing Number of Home Users Behind DSL and Cable "Always On" Connections SecurityPortal.Com wins LinuxLock Security Source of the Month <http://www.linuxlock.org/features/somapril00.html> - Each month LinuxLock choses a Security Source of the Month. This award goes to whomever we feel speaks loudest as security resource. This month LinuxLock has choosen SecurityPortal. After discussions about the many great authors and the good sites we decided on SecurityPortal, for the functionality it lends to Secuirty Admins. Enter your own Press Releases directly at SecurityPR.com. http://securitypr.com ******************************************* Tell us how we are doing. Send any other questions or comments to [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> . Michael McCrea SecurityPortal.com - the Focal Point for Security on the Net [EMAIL PROTECTED] -------------------------------------------------------------------------- Utk berhenti langganan, kirim email ke [EMAIL PROTECTED] Informasi arsip di http://www.linux.or.id/milis.php3 Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
