[ISN] Call for donations!
Call for donations for InfoSec News and C4I.org! http://www.c4i.org/donation.html Richard Clarke once said... If you spend more on coffee than on IT security, then you will be hacked. What's more, you deserve to be hacked. InfoSec News is always in a cash crunch. While we could start accepting funds in lieu of sponsorship on the list, we would rather take donations from subscribers to keep InfoSec News advertising free. It's sorely needed and helps a good cause! For $1.00 at the local diner, you can buy a bottomless cup of coffee. At the local bookstore, a large three shot, double latte cappuccino is about $4.00. Ideally we'd like to see every InfoSec News subscriber sacrifice at least one or two days without his or her coffee to enable us to buy the equipment needed to not only continue the work we've been doing, but improve our services. In classic public broadcasting style, if you can make a donation of $50 or more, we'll include this year's swank C4I.org shirt and a sticker, and if you have donated $50 or more in the past, thank you very much, I will be contacting you shortly for your shirt size! Immediate and near term improvements such as a digest version of the list have been implemented, (spam worms have been stopped dead) a server has been purchased, hosting has been taken care of and RSS feeds of InfoSec News and other crucial security mailing lists will be available soon, as well as the capability to run searches of past InfoSec News articles. A donation of $1 to $4 isn't a lot when you consider the work done behind the scenes here, such as dealing with Microsoft SMTPSVC, bounced mail, and dead addresses. Its no small feat finding, filtering, formatting, and analyzing the news stories that more than 3800 information security, homeland defense, and open source intelligence professionals depend on a daily basis. http://www.c4i.org/donation.html Through PayPal we can accept donations in the following currencies: U.S. Dollars, Canadian Dollars, Euro's, Pounds Sterling, Yen. Using Amazon's Honor System, you can use your credit card without retyping it if Amazon already has it on file. However, Amazon keeps approximately 15 percent of each donation. If you don't trust either one of those methods, that's OK, the mailing address here is... C4I.org Post Office Box 24 Golf, Illinois 60029-0024 U.S.A Donations to C4I.org may be tax deductable, check with your tax advisor. Thank you for your consideration! William Knowles [EMAIL PROTECTED] *==* Communications without intelligence is noise; Intelligence without communications is irrelevant. Gen Alfred. M. Gray, USMC C4I.org - Computer Security, Intelligence - http://www.c4i.org Help C4I.org with a donation: http://www.c4i.org/donation.html *==* _ Help InfoSec News with a donation: http://www.c4i.org/donation.html
[ISN] CA sued (again): This time for $800m
http://software.silicon.com/applications/0,39024653,39121939,00.htm Will Sturgeon silicon.com July 06, 2004 Computer Associates has been hit with an $800m lawsuit by a group of three Canadian security companies that claim the New York-based software giant ripped off their intellectual property when developing its own security applications. CA is also accused of serious breaches of contract in the court filing, though the company denies any wrongdoing and says the filing lacks any merit. NI Group, Scienton Technologies and Secure-IT claim CA stole concepts and software as well as failing to honour a contract to pay up for development and implementation work carried out for a number of CA customers. At the centre of the accusations are two CA products - eTrust 20/20 and Command Center. In both instances, it is claimed CA stole ideas and intellectual property from the complainants following previous work carried out with the Ontario-based companies. The lawsuit, filed with a federal court in New York, claims damages in excess of $800m and while a CA spokesman claimed the accusations have no merit, its second major lawsuit in recent weeks is further evidence of the company's troubled and ongoing attempts to haul itself out of a two-year-long lawsuit and federal investigation-related malaise. Major investor and long-term boardroom agitator Sam Wyly recently announced his intention to seek damages of around $1bn from Computer Associates. _ Help InfoSec News with a donation: http://www.c4i.org/donation.html
[ISN] Wendy's Drive-up Order System Information Disclosure
Forwarded from: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] [Real mi2g, fake mi2g, whatever, it had me in stiches! :) - WK] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- SIPS EXCERPT -- ADVISORY -- SIPS EXCERPT -- ADVISORY -- Wendy's Drive-up Order System Information Disclosure Reporter: mi2g (http://www.mi2g.com/) Date: July 07, 2004 Severity: Medium to High Attack Class: Physical, Remote, Race Condition Vendor: Wendy's (http://www.wendys.com/) I. BACKGROUND Wendy's International, Inc. is one of the world's largest restaurant operating and franchising companies with more than 9,300 total restaurants and quality brands - Wendy's Old Fashioned Hamburgers®, Tim Hortons® and Baja Fresh® Mexican Grill. The Company invested in two additional quality brands during 2002 - Cafe Express and Pasta Pomodoro®. II. DESCRIPTION Remote exploitation of the Wendy's Drive-up ordering system allows an attacker to gain sensitive information about the order of arbitrary customers. During customer/vendor handshake, the customer vehicle must come to a stop beside the vendor menu ordering system which contains a large screen to display the current order. During this process, adequate protection is not given to the space between the vehicle and the menu allowing for a number of remote attackers to obtain sensitive order information. Once the victim has finished ordering, the information stays available on the screen for up to several minutes or until another customer has pulled forward. This creates a great window for exploitation and increases the chance of winning the race condition. III. ANALYSIS Successful exploitation allows unauthenticated remote malicious arbitrary attackers to retrieve the contents of the previous customer's food order which is a serious breach of confidentiality. As proof of concept, this attack was carried out against mi2g CEO DK Matai. It was disclosed that he ordered a grilled chicken sandwich, large fries and a large Coca-Cola. IV. DETECTION mi2g has confirmed that all Wendy's with a Drive-up menu display are affected. Other vendors may be affected but were not tested. V. WORKAROUND Use a hard object such as a rock or baseball bat to disable the order display screen after the late night drive-thru has closed. VI. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-2934 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VII. DISCLOSURE TIMELINE 07/07/02 Exploit discovered by mi2g 07/08/02 mi2g clients (the Inner Sanctum) notified 01/08/03 The Queen notified 03/22/03 bespoke security architecture updated 09/01/03 mi2g clients notified again 07/07/04 Public Disclosure 07/08/04 Vendor notified VIII. CREDIT Rear Admiral John Hilton and Geoffrey Hancock are credited with discovering this vulnerability. IX. SPECIAL THANKS Donny Werner for verifying Wendy's drive up systems are not vulnerable to XSS issues! X. LEGAL NOTICES Copyright (c) 2004 mi2g Limited. Permission is granted for the redistribution of this alert electronically provided a small royalty is paid. It may not be edited in any way without the express written consent of mi2g. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkDrk18ACgkQa74Q1wBemg8ZEACfTaxcsaq/mkOAWZ8A5TPRhM/gq8gA n0pcaILhtSzHGnGbdBi1BCHQCi7s =YRgk -END PGP SIGNATURE- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 _ Help InfoSec News with a donation: http://www.c4i.org/donation.html
[ISN] Applying Pressure
http://www.informationweek.com/story/showArticle.jhtml;jsessionid=FFF3VRUN3SBXMQSNDBCCKHY?articleID=22103604 By John Foley, George V. Hulme, Steven Marlin InformationWeek July 5, 2004 What began as an uncoordinated din of IT professionals complaining about computer security has turned into a collective movement that's spanning entire industries. For evidence, consider the actions taken by BITS, a powerful financial-industry organization that recently crafted a detailed security policy on how it expects technology companies to respond to the needs of its member firms. Two weeks ago, the nonprofit consortium squeezed concessions from Microsoft. Now, other big-name vendors are in its sights. BITS acted because the costs and risks associated with rising software vulnerabilities have become untenable, senior director John Carlson says. Coping with software vulnerabilities has become a $1 billion-a-year problem for the financial industry, according to BITS, whose heavyweight roster includes Bank of America, Citigroup, Fidelity Investments, and Wells Fargo. We clearly anticipated that the costs are going to increase over time unless something is done, Carlson says. Dissatisfied with the pace at which IT vendors were moving to address security problems, BITS decided to engage them on its own terms. There's almost no one who's immune, says Larry Seibel, information security director at Huntington National Bank, whose chairman and CEO, Thomas Hoaglin, is on BITS's board of directors. I don't think anyone believes we're going to have a quick fix. Just last week, the SANS Institute's Internet Storm Center reported an attack in which hackers attempted to capture, via Internet Explorer, user-login information from customers of dozens of financial institutions. BITS held an invitation-only meeting in February for its members and some undisclosed software companies, and, in late April, it unveiled a sweeping plan to encourage IT vendors to show a higher duty of care in delivering foolproof products. A detailed policy statement, issued jointly with the affiliated Financial Services Roundtable, calls on vendors to make security a fundamental part of software design, support older versions of products, make upgrades easier, improve the patch-management process, and give companies with critical infrastructure advance notice of new vulnerabilities. The group hopes to influence product development and support across the technology industry. Prominent names are at the top of its list: Cisco Systems, Computer Associates, Hewlett-Packard, IBM, Microsoft, Oracle, and PeopleSoft. There are lots of potential weak links, Carlson says. Our members said, 'These are important companies to engage.' InformationWeek surveyed some of those leading technology companies to assess their readiness to meet BITS's specific proposals. To see their answers, go to informationweek.com/996/ responses.htm. BITS supports incentives, including tax breaks, to encourage vendors to put more research and development into security, and it promises to help protect industry groups from antitrust laws as they collaborate on security measures. It's also wielding a stick by encouraging regulators to share some of the information they already gather on the security practices of software companies. Security professionals believe there's something to be gained by bringing the collective weight of an industry to bear on the issues they face every day. These efforts present a united front and focused pressure, rather than each of us working on our own to improve software and to get change, says Gene Fredriksen, VP of information security with Raymond James Associates, co-chair of BITS's software-security working group, and a member of its security and risk-assessment executive committee. It doesn't hurt that BITS has the backing of some big guns. Thomas Renyi, chairman and CEO of the Bank of New York, is chairman of BITS's board of directors. According to Cisco, its CEO, John Chambers, has met directly with the industry group. BITS is rallying companies from other industries around the same set of issues. Technology executives from the telecommunications, chemical, and electric-utility industries were invited to its closed-door February meeting, and the group coordinated with the influential Business Roundtable on the details of its software-security policy and the timing of its release. Everyone's looking at everyone else's work, saying, 'What can we do working in collaboration with each other to solve this problem?' Carlson says from his Washington office, where he had just returned from a meeting last week of the House Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census. Last month, the chairman of that subcommittee, Rep. Adam Putnam, R-Fla., co-authored an amendment to the 1996 Clinger-Cohen Act that would make information security a required consideration when government agencies buy computer
[ISN] Govt scores poorly in security test
http://www.bangkokpost.com/Database/07Jul2004_data02.php Karnjana Karnjanatawe 07 July 2004 Government web sites could be at risk from security threats, according to a recent survey, which found that only 12% of 267 surveyed agencies used data encryption technology, and only one organisation _ Krung Thai Bank _ utilised digital signatures. The survey by the National Electronics and Computer Technology Centre (Nectec) covered 267 government deparment-level agencies, universities and state organisations. It also found that almost half of the web sites surveyed relied on only a user name and a password to authenticate users, while 12%, or 32 agencies, secured information with SSL or data encryption technology. Some agencies do not even have a firewall to protect against hackers. This is a weakness of the government, said Nectec director Dr Thaweesak Koanantakool, adding that agencies needed to be more concerned with security and provide secure transactions to the public. ICT Ministry permanent secretary Dhipavadee Meksawan said to help ease security concerns, the ministry plans to invest up to eight million baht to provide 50,000 digital signatures for government officers by September. The digital signatures will be issued by the Government IT Service, TOT Corp and the CAT Telecom, she said, adding that they will help reduce document fraud and provide secure transactions. The survey, conducted between 14 January and 31 March this year, aimed to find out the e-service readiness of the web sites. It also tracked information provided by the sites, including basic organisation information, history, email, news and links to other agencies. More than half (64%) are bilingual web sites but only two organisations (1%) had features for easier accessibility, such as captions for pictures and clear fonts and colours. Most of the agencies (91%) updated their information once a week while the remaining 9%, or 25 agencies, updated the information more than once a week. Some 77% of sites offer interactive functions such as an email form (82%), web board (74%), FAQ (39%) and internal search service (47%), while 55% or 145 agencies have transaction functions including log-in forms (54%), data transactions (10%) and online payments (6%). None of the government agencies provides applications on their web site and only seven percent (19 agencies) have implemented basic intelligence that can provide information based on a user's log-in. Most of these were web sites of universities, said Dr Thaweesak. We want to see more integration and intelligence from the government web sites in the future, he said. Meanwhile the ICT Ministry permanant secretary said the survey would be used to reflect the status of government agencies to Cabinet and for allocating its ICT budget. Nectec also plan to extend its survey to cover the web sites of provincial administrative offices, schools and ministries in the future. _ Help InfoSec News with a donation: http://www.c4i.org/donation.html
[ISN] REVIEW: Network Security Jumpstart, Matthew Strebe
Forwarded from: Rob, grandpa of Ryan, Trevor, Devon Hannah [EMAIL PROTECTED] BKNTSCJS.RVW 20030604 Network Security Jumpstart, Matthew Strebe, 2002, 0-7821-4120-X, U$24.99/C$39.95/UK#18.99 %A Matthew Strebe [EMAIL PROTECTED] %C 1151 Marina Village Parkway, Alameda, CA 94501 %D 2002 %G 0-7821-4120-X %I Sybex Computer Books %O U$24.99/C$39.95/UK#18.99 800-227-2346 [EMAIL PROTECTED] %O http://www.amazon.com/exec/obidos/ASIN/078214120X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/078214120X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/078214120X/robsladesin03-20 %P 365 p. %T Network Security Jumpstart The introduction states that this book is suitable for anyone from the home user to the network administrator to the CEO. Which is a pretty tall order. Chapter one has a decent overview of why computers aren't secure, a scant computer security history, a few security concepts, and a fairly trivial set of review questions. There is a media level exposition on hackers, in chapter two, a rough outline of intrusion procedures, and a list of specific attacks that I'm not sure the author fully understands. (Immediately following Denial of Service comes a separate entry for Floods: flooding being a type of denial of service.) There is a terse introduction to cryptography, and not much more than chapter one gave us about authentication, in chapter three. The suggestions for policy creation, in chapter four, aren't bad for simple cases, but seriously understate the difficulty of establishing a full policy, even for home users. Chapter five describes firewalls (and seven tells a little bit more about using them at home). Chapter six makes the common mistake of assuming that all VPNs (Virtual Private Networks) are about confidentiality: some are merely about managing communications configurations. There is some correct and useful information about viruses in chapter eight, but it is unfortunately mixed in with a lot of garbage. Windows NT and its subsequent versions are *not* immune to viruses, although a rigorous set of file permissions can reduce your risk of file infectors (which are no longer a major category anyway). Signature scanners are *not* the only type of antiviral software. Viruses were *not* invented by accident, BRAIN *never* had an onscreen display and didn't infect program files, and neither Stoned nor Jerusalem (Friday the 13th is one variant) were based on BRAIN. Neither Stoned nor BRAIN relied on program sharing to propagate: data disks were quite sufficient. Viruses that only replicate are *not* benign (anybody ever have problems with Stoned? Melissa? Loveletter?), *will* be discovered, and scanning signatures *are* created. Fault tolerance, in chapter nine, is not quite business continuity planning (BCP), but does go beyond the usual UPS (Uninterruptable Power Supply) and backup recommendations. Although chapter ten lists a number of security mechanisms in Windows, a practical understanding of their use is not presented. The UNIX tools in eleven are described more usefully--but they only relate to file permissions. The network security tools for UNIX are in twelve--but are only enumerated. Chapter thirteen has good suggestions for Web server security--but doesn't say how to implement them. A random collection of email security tools and threats makes up chapter fourteen. IDS (Intrusion Detection System) concepts are not explained very well in chapter fifteen: Strebe apparently doesn't understand that all forms use audit data of one type or another, and doesn't list the major distinctions between either the engine type or sensor location. Even given all the faults, one has to admit that Strebe has not done a bad job with his ambitious intent. Certainly home users and CEOs can find better explanations here than in many of the other works aimed at them, however much I might wish that the book as a whole was more accurate. And, yes, even the network administrators might find some helpful points in the more conceptual material at the beginning of the book: most of them could do with a better understanding of the need for policy. This work isn't great, by any means, but it can fulfill a need for a quick guide to network threats, for a variety of audiences. copyright Robert M. Slade, 2004 BKNTSCJS.RVW 20030604 == (quote inserted randomly by Pegasus Mailer) [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Keep away from people who try to belittle your ambitions. Small people always do that, but the really great make you feel that you, too, can become great. - Mark Twain http://victoria.tc.ca/techrevorhttp://sun.soci.niu.edu/~rslade _ Help InfoSec News with a donation: http://www.c4i.org/donation.html
