[ISN] Al Qaeda Messages Posted on U.S. Server
http://www.washingtonpost.com/wp-dyn/articles/A47681-2004Jul13.html By David McGuire washingtonpost.com Staff Writer July 13, 2004 An Internet computer server operated by an Arkansas government agency was transformed last weekend into the online home of dozens of videos featuring Osama bin Laden, Islamic jihadist anthems and terrorist speeches. State government officials removed the files from a computer operated by the Arkansas Highway and Transportation Department shortly after they were discovered, a government spokesman said. The case highlights an increasing trend of hackers hijacking vulnerable Web servers for the purpose of advocating radical political and terrorist ideologies. Links to the files were posted to a message board of a group called al Ansar. The Web site features photos of bin Laden, leader of the al Qaeda terrorist network, and the Sept. 11, 2001, hijackers, as well as basic facts about the tenets of Islam and links to chatrooms and other Islamic Web sites. The person who posted the links identified himself as "Irhabi 007"-- or "Terrorist 007" -- said Laura Mansfield, who tracks pro-al Qaeda Web sites for Northeast Intelligence Network, an Erie, Pa.-based private group of analysts that monitors the Internet for terrorist activity. Arkansas Transportation Department spokesman Randy Ort confirmed that approximately 70 unauthorized files were posted on Sunday to a "File Transfer Protocol" (FTP) site that the agency operates for contractors. FTP sites are widely used throughout the Internet as a way to transfer large files quickly. Ort would not describe the files, except to say that they were labeled "in a foreign language." He said the department shut the site down on Monday morning after a CNN reporter called to ask what the materials were doing there. Ort said that the FBI has confiscated the server where the files were located. FBI spokesman Joe Parris confirmed that the agency took the computers, but would not say whether it was investigating the incident. Mansfield said hijacking unsecured FTP sites is standard procedure for al Qaeda sympathizers, but it was unusual for them to take over a government site. "Basically, what they do is they go out, they find a Web site, and they borrow the bandwidth until they get caught and somebody kicks them off," Mansfield said. "Companies and organizations would do well to shut down their anonymous FTP servers nowadays, because they are being misused." According to a 23-year CIA veteran who has anonymously criticized U.S. counterterrorism policy in a recently published book, "Al Qaeda's most important growth since the 11 September attacks has not been physical but has been, rather, its expansion into the Internet." In his book, "Imperial Hubris: Why the West is Losing the War on Terror," [1] the author says the United States and its allies have staged "information warfare attacks" on some Internet sites, "thereby forcing them off-line and making their producers hunt for new host servers." However, it was not clear whether the person who hijacked the Arkansas server was an actual al Qaeda terrorist or someone with other motivations. Ken Dunham, malicious code manager for iDefense Inc., an Internet security firm based in Reston, said a growing number of computer crimes are being committed in the name of political causes, with some hackers seeking to identify themselves with terrorism in a bid to boost their importance in the hacker subculture. Mansfield, who said she speaks fluent Arabic and has tracked Terrorist 007's activities since February, said the poster admitted online that he does not speak Arabic. His postings in Arabic bear signs of being run though an electronic translator, she said. She said the person has posted at least 900 items on the al Ansar Web site. In a statement posted on the Northeast Intelligence Network's Web site yesterday, Mansfield described the poster as "a self-proclaimed U.S.-based terrorist." In addition to the links to the Arkansas computer server, the al Ansar site featured downloadable copies of video depicting the beheading of American businessman Nicholas Berg, an al Qaeda-produced video called "Wills of Martyrs" and video of a deadly car bomb attack on a housing complex in Riyadh, the Saudi Arabian capital, Mansfield said. The al Ansar site is a popular destination for al Qaeda sympathizers and is often one of the first places where videos of terrorist attacks and ultimatums are posted, Mansfield said. James Lewis, a senior fellow at the Center for Strategic and International Studies, said that sites run by al Qaeda and its sympathizers change addresses often and rely on word of mouth for publicity. He added that the practice of taking advantage of unsecured computer space to host information is a common tactic of al Qaeda backers. Terrorist 007 apparently moved the same material to other locations on the Internet, Mansfield said. Earlier this year, a person identifying himself as Terrori
[ISN] Call for donations!
Call for donations for InfoSec News and C4I.org! http://www.c4i.org/donation.html Richard Clarke once said... "If you spend more on coffee than on IT security, then you will be hacked. What's more, you deserve to be hacked." InfoSec News is always in a cash crunch. While we could start accepting funds in lieu of sponsorship on the list, we would rather take donations from subscribers to keep InfoSec News advertising free. It's sorely needed and helps a good cause! For $1.00 at the local diner, you can buy a bottomless cup of coffee. At the local bookstore, a large three shot, double latte cappuccino is about $4.00. Ideally we'd like to see every InfoSec News subscriber sacrifice at least one or two days without his or her coffee to enable us to buy the equipment needed to not only continue the work we've been doing, but improve our services. In classic public broadcasting style, if you can make a donation of $50 or more, we'll include this year's swank C4I.org shirt and a sticker, and if you have donated $50 or more in the past, thank you very much, I will be contacting you shortly for your shirt size! Immediate and near term improvements such as a digest version of the list have been implemented, (spam & worms have been stopped dead) a server has been purchased, hosting has been taken care of and RSS feeds of InfoSec News and other crucial security mailing lists will be available soon, as well as the capability to run searches of past InfoSec News articles. A donation of $1 to $4 isn't a lot when you consider the work done behind the scenes here, such as dealing with Microsoft SMTPSVC, bounced mail, and dead addresses. Its no small feat finding, filtering, formatting, and analyzing the news stories that more than 3800 information security, homeland defense, and open source intelligence professionals depend on a daily basis. http://www.c4i.org/donation.html Through PayPal we can accept donations in the following currencies: U.S. Dollars, Canadian Dollars, Euro's, Pounds Sterling, & Yen. Using Amazon's Honor System, you can use your credit card without retyping it if Amazon already has it on file. However, Amazon keeps approximately 15 percent of each donation. If you don't trust either one of those methods, that's OK, the mailing address here is... C4I.org Post Office Box 24 Golf, Illinois 60029-0024 U.S.A Donations to C4I.org may be tax deductable, check with your tax advisor. Thank you for your consideration! William Knowles [EMAIL PROTECTED] *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org Help C4I.org with a donation: http://www.c4i.org/donation.html *==* _ Help InfoSec News with a donation: http://www.c4i.org/donation.html
[ISN] Call for donations!
Call for donations for InfoSec News and C4I.org! http://www.c4i.org/donation.html Richard Clarke once said... "If you spend more on coffee than on IT security, then you will be hacked. What's more, you deserve to be hacked." InfoSec News is always in a cash crunch. While we could start accepting funds in lieu of sponsorship on the list, we would rather take donations from subscribers to keep InfoSec News advertising free. It's sorely needed and helps a good cause! For $1.00 at the local diner, you can buy a bottomless cup of coffee. At the local bookstore, a large three shot, double latte cappuccino is about $4.00. Ideally we'd like to see every InfoSec News subscriber sacrifice at least one or two days without his or her coffee to enable us to buy the equipment needed to not only continue the work we've been doing, but improve our services. In classic public broadcasting style, if you can make a donation of $50 or more, we'll include this year's swank C4I.org shirt and a sticker, and if you have donated $50 or more in the past, thank you very much, I will be contacting you shortly for your shirt size! Immediate and near term improvements such as a digest version of the list have been implemented, (spam & worms have been stopped dead) a server has been purchased, hosting has been taken care of and RSS feeds of InfoSec News and other crucial security mailing lists will be available soon, as well as the capability to run searches of past InfoSec News articles. A donation of $1 to $4 isn't a lot when you consider the work done behind the scenes here, such as dealing with Microsoft SMTPSVC, bounced mail, and dead addresses. Its no small feat finding, filtering, formatting, and analyzing the news stories that more than 3800 information security, homeland defense, and open source intelligence professionals depend on a daily basis. http://www.c4i.org/donation.html Through PayPal we can accept donations in the following currencies: U.S. Dollars, Canadian Dollars, Euro's, Pounds Sterling, & Yen. Using Amazon's Honor System, you can use your credit card without retyping it if Amazon already has it on file. However, Amazon keeps approximately 15 percent of each donation. If you don't trust either one of those methods, that's OK, the mailing address here is... C4I.org Post Office Box 24 Golf, Illinois 60029-0024 U.S.A Donations to C4I.org may be tax deductable, check with your tax advisor. Thank you for your consideration! William Knowles [EMAIL PROTECTED] *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org Help C4I.org with a donation: http://www.c4i.org/donation.html *==* _ Help InfoSec News with a donation: http://www.c4i.org/donation.html
[ISN] Hackers target DND computers, break into network
http://www.canada.com/ottawa/ottawacitizen/news/story.html?id=9c7140f5-576f-4c2a-b6dd-d11126882264 By David Pugliese The Ottawa Citizen 2004.07.02 Defence Department employees are being targeted by suspicious e-mails designed to plant viruses and other malicious codes inside military computers, according to a report obtained by the Citizen. Most of the details about the incidents, code-named Snow Leopard by the Canadian Forces, are wrapped in secrecy. But Defence Department records confirm that hackers were able to gain access to military computers on at least 10 occasions last year. In total in 2003, the military's computer response team dealt with 160 incidents ranging from poor cyber security to unauthorized entry into high-level systems. According to one report produced in December, defence employees were hit by "suspicious e-mails that appear to be targeting DND individuals in an attempt to 'social engineer' the installation of malicious code." At least one computer was compromised by the mystery e-mail. Social engineering involves the use of deception to try to gain access to the password of a large computer system or network. For instance, it can be done through e-mails sent by a hacker posing as an organization's computer security official and requesting verification of an individual's password. Malicious code could refer to a variety of problems, including viruses and worms. Defence officials are refusing to discuss any aspect of the Snow Leopard case, so it is not known how many other department or federal government computers have been compromised, the extent of the attacks, or if they are continuing. "There's very much classified (information) around Snow Leopard and what it entails," said Canadian Forces spokesman Maj. Mike Audette. "We're not going to discuss in any terms any potential or ongoing communications computer network security operations." Patrick Naubert, a computer security specialist, said that even if a hacker obtains a password through social engineering, there are still numerous hurdles to overcome before gaining electronic access to the target's computer network. Even if access is gained, the hacker must know roughly what they are looking for, or they face the problem of filtering through thousands of filenames to find the information they want, noted Mr. Naubert of Tyger Team Consultants Ltd. "DND might not actually care about that, since just any hacker gaining read access to any machine on any of DND's network might be a PR nightmare, regardless of the fact that DND must have an airgap between their 'unprotected' network and their 'protected' network," Mr. Naubert explained. It's not the first time that military computers have been compromised. In 1999, it took a 17-year-old high school student in the U.S. just 10 minutes to breach the Defence Department's computer system. "The DND site was an easy target," Russell Sanford told the Citizen in 2002. "It was pretty weak." Mr. Sanford said he went in and out of the military computer network over a period of three days. When the Citizen story emerged, Defence officials acknowledged the breach but claimed the teenager was only able to infiltrate the department's Internet website which did not contain any classified information. But the teenager responded that he had hacked into one of the department's secure computers via its public website. While he did not access or intercept any classified data, Mr. Sanford claimed he could have done so if he had wanted to. Instead he left on the website tips on how the military could improve its computer security. In one of the Snow Leopard cases, an administrative assistant with the Defence Department's Director of Protocol and Foreign Liaison distributed a suspicious e-mail with an attachment. The malicious code was removed and military officials indicated in their December report that it did not appear the main Defence network computer had been compromised in that incident. Most details of the Snow Leopard report, released under the Access to Information law, have been censored for reasons of national security. But the incident prompted military officials to warn the Privy Council Office about the attempts to plant a malicious code on Defence computers. The Office of Critical Infrastructure Protection and Emergency Preparedness also issued a security advisory to other departments about the probes. *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org Help C4I.org with a donation: http://www.c4i.org/donation.html *==
[ISN] PRC surfers hack into DPP Web site
http://www.etaiwannews.com/Taiwan/2004/06/23/1087958173.htm By Wang Chung-ming 2004-06-23 Taiwan News Staff Reporter Democratic Progressive Party officials yesterday confirmed that hackers, believed to have originated in the People's Republic of China, recently attacked the home page of the party's official Web site. On Monday night, the DPP home page was replaced with a picture described as the "inauguration portrait" of President Chen Shui-bian (³¯¤ô«ó) and Vice President Annette Lu (§f¨q½¬). In the picture, the two politicians are frontally nude with Japanese kimonos draped over their backs. The picture is framed with the slogans, "Overthrow A-bian" and "Oppose Taiwan Independence." Another picture posted on the DPP home page portrayed a Chinese soldier who is taking aim as he prepares to shoot a rifle, with a caption that reads: "I am proud of being Chinese as well as a brave Chinese senior soldier." Paralyzed by this latest wave of hacking, the DPP computer system was temporarily shut off and no data was thought to have been leaked, according to the DPP information security department. DPP Cultural and Information Department Deputy Director Lee Shi-ming said the party's Web site would be restored today, as DPP headquarters was closed yesterday for the Dragon Boat Festival. Chung Chia-bin, DPP deputy secretary-general, added that his party had notified the National Information and Communication Security Task Force to ask for help following the hacker attacks. The Cabinet-level NICST is responsible for monitoring all computer systems of Taiwan government agencies or major private companies, especially with an eye to preventing the PRC from engaging in cyber-warfare exercises. The People's Liberation Army is believed to be placing great emphasis on cyberspace attacks that intend paralyze the computer operations of strategic targets as part of an effort to "decapitate" Taiwan in a shock attack. The DPP is among the organizations monitored regularly by NICST, Chung said, who noted that China's attacks against the party are on the rise. "We often detect that DPP Web sites - including those of the central headquarters and local branches - have been attacked by hackers," Chung said. "But this week has seen a trend where the hacking has been intensified." In recent years, PRC hacker threats toward Taiwan have often been intensive campaigns, launched in retaliation against local political moves opposed by Beijing. In May 2003, for example, when activists enthusiastically campaigned for the rectification of Taiwan's name, a hacker's Web site in China threatened to hack into the official Web sites of Taiwanese government agencies for 11 days to retaliate against the country's pro-independence activities. Taiwan recently completed a computer-simulated war game and may coordinate these exercises with the United States and Japan in the future in an effort to enhance its information technology capabilities. But China is now gearing up for large-scale military exercises which are to take place in June and July on Dongshan Island in southeastern Fujian Province just 150 nautical miles west of Taiwan's Penghu Islands, with the goal of the games being to "take control of the Taiwan Strait." It is believed that cyber warfare will be part of the exercises. *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org Help C4I.org with a donation: http://www.c4i.org/contribute.html *==* _ ISN mailing list Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie! (Broke? Spend 15 minutes a day on the project!)
[ISN] Beijing wages cyberwar against DPP headquarters
http://www.taipeitimes.com/News/front/archives/2004/06/16/2003175231 By Ko Shu-ling STAFF REPORTER June 16, 2004 An army of hackers based in China has broken into Democratic Progressive Party (DPP) databases, stealing classified information such as President Chen Shui-bian's (³¯¤ô«ó) personal itinerary, according to a Cabinet official who asked not to be named. "This is the first time we have found that the DPP headquarters' computer systems were breached by Chinese hackers," the official said. "The incident has sent jitters through the Ministry of National Defense, which deems a systematic information attack launched by China as military warfare." Information stolen from party headquarters included the personal itineraries of Chen, who doubles as DPP chairman, and those of other high-ranking party officials such as DPP Secretary-General Chang Chun-hsiung (±i«T¶¯). Also leaked was classified information on visits to the US by high-ranking DPP officials ahead of the US presidential election. According to the Cabinet official, the DPP headquarters was an easy target and the attackers were aware it would be more difficult to break into computer systems belonging to the Presidential Office or the defense ministry, where security is tighter. The attacks were noted a few days ago and the situation has been monitored 24 hours a day since. This is not the first time that China has conducted information warfare against Taiwan. Last September, the Cabinet discovered that hackers in Hubei and Fujian provinces had spread 23 different Trojan horse programs to the networks of 10 private high-tech companies in Taiwan and used them as a springboard to break into at least 30 different government agencies and 50 private companies. The Trojan-horse programs were used against the National Police Administration, the defense ministry, the Central Election Commission and the central bank. Since it appeared no government information had been stolen, the Cabinet suspected that the program was likely aimed at paralyzing the nation's computer systems, stealing sensitive government information or preparing computers for future information warfare. Trojan-horses are one of the most serious threats to computer security. A computer user may not only have been attacked but may also be attacking others unknowingly. *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org Help C4I.org with a donation: http://www.c4i.org/contribute.html *==* _ ISN mailing list Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie! (Broke? Spend 15 minutes a day on the project!)
[ISN] Internet needs law enforcement, author says
http://www.nwfusion.com/news/2004/0608gartnsummi.html By Grant Gross IDG News Service, 06/08/04 The Internet is a "god-awful mess," but few U.S. government officials are willing to take action against virus writers, spammers and other scammers, author Bruce Sterling said at the Gartner IT Security Summit Tuesday in Washington, D.C. Disorder and corruption are winning on the Internet, and computer users need the U.S. government to crack down on the thieves preying on the Internet, said Sterling, author of futuristic novels Heavy Weather and Islands in the Net and the nonfiction book The Hacker Crackdown: Law and Disorder on the Electronic Frontier. "We had a digital revolution in the 1990s -- now we've slid into digital terror," Sterling said during his hour-long critique on the state of cybersecurity. "Today's Internet is a dirty mess -- it's revolution failed. E-commerce was extremely inventive for a while, but the financing model was corrupt. There was poor governance in the financial systems, there was worse industrial policy; the upshot was a spectacular industry-wrecking boom and bust." Most of the advancements in Internet commerce since the dot-com bust have been illegal, Sterling noted, including spamming, identity theft, and "phishing," which is theft of credit card numbers or other personal information by directing customers to bogus Web sites to change their account settings. "If you advance into mayhem, that's not advancement, that's driving into a ditch," he added. Sterling offered what he called a little good news about cybersecurity, the recent arrests of a handful of virus or worm writers, including the arrest in May of the 18-year-old German man who allegedly wrote the Sasser worm. "The world is never going to run out of disaffected teenagers," he said. But Sterling said he's not overly worried about bored 18-year-old worm writers who are unsophisticated enough to get caught; instead he's concerned about the authors of such malicious code as Slammer, Code Red, and Witty because they haven't been caught. The authors of the Witty worm targeted users of Internet Security Systems' products, while the Bagel and Mydoom virus authors attempted to turn infected computers into spam-sending machines, Sterling said. "Bagel and Mydoom are the future of virus-writing because they have a business model," he said. "Those are organized crime activities. ... These are crooks." Virus and worm writing will grow as a weapon for terrorists and warring nations, he predicted. Terrorists operating in places with little central government control will begin to see cyberterrorism as an effective weapon because of a lack of international cooperation on cybersecurity enforcement, he said. He listed a dozen such countries, including Somalia, Bosnia and the Philippines. "This is the birth of a genuine, no-kidding, for-profit ... multinational criminal underworld," he said. "I don't see any way it can't happen. We're going to end up getting pushed around by bands of international electronic thieves in a very similar way to the way we've been pushed around by gangs of international Mafia and international Mujahideen terrorists." The new tools of terrorists and criminals will be "oil, narcotics, guns and broadband," he said. With cyberthreats likely to rise, the U.S. government needs to focus on enforcement of existing laws, including antifraud laws, Sterling said. He praised New York Attorney General Eliot Spitzer, who prosecuted Buffalo spammer Howard Carmack earlier this year, as well as other white collar criminals. Although virus writers and many spammers break existing laws, most prosecutors seem reluctant to take on computer cases, Sterling said "In my opinion, we need a thousand guys like (Spitzer)," Sterling said."We've got a ridiculous amount of computer laws." Efforts such as the Controlling the Assault of Non-Solicited Pornography and Marketing Act, passed by Congress in late 2003, are "phoney-baloney gestures," Sterling said. Instead of weak laws, the U.S. government needs to sponsor a multistate computer crime task force that enforces existing laws, he said. He also recommended that the U.S. post names of spammers and other Internet scammers on a Web site for everyone to see. Sterling also praised parts of the National Strategy to Secure Cyberspace, released by the Bush administration in February 2003, calling it "modest and feasible." The document recommended that nations work together to combat cyberthreats, and such cooperation is needed to fight borderless cyberterrorism, Sterling said. But the strategy is likely to go nowhere after former Bush cybersecurity chief Richard Clarke criticized his former boss' counterterrorism efforts in a book released earlier this year, Sterling said. *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---
[ISN] Expert calls for better security
http://www.fcw.com/fcw/articles/2004/0531/web-secure-06-03-04.asp By Dibya Sarkar June 3, 2004 A leading expert who helped develop the federal cybersecurity strategy during the Clinton administration said the plan is not working and needs to be overhauled. "We are grossly unprepared to address the issue of cyberterrorism," said Jeffrey Hunker, a professor of technology policy at Carnegie Mellon University. Hunker, who spoke today at a Washington, D.C., homeland security conference sponsored by McGraw-Hill Companies, said people need to better understand the threats, build national structures for network security, understand the interdependencies with critical infrastructure, build incentives for educational awareness and recognize new technologies and standards. He listed six suggestions to improve cybersecurity: * Invest more in collecting statistics related to cybercrime * Keep what works, such as federal research, developing funding, private and public partnerships and a federal program that provides scholarships to undergraduate and graduate students studying computer security. * Develop national standards that have teeth, meaning officials would enforce them. * Expand and clearly define organizational and personal liability. * Have the Securities and Exchange Commission require companies to disclose cybersecurity investments to their investors. * Adjust federal research and development practices that also focus on developing management programs Hunker, a former senior director of critical infrastructure with the National Security Council, said the United States has also failed to take leadership to shape global policy, leaving that to the European Union, United Nations and others. The United States, he added, hasn't seen anything that can even be characterized as a cyberterrorism. Most events should be described as either cybercrime or vandalism. "These are...inconvenient but don't rise to the level of national security," he said. However, he said there have been cyber skirmishes between countries such as China and Taiwan and between Israelis and Palestinians. He said after the Chinese embassy was bombed in Belgrade, Yugoslavia, in 1999 by NATO forces, Chinese hackers launched a number of attacks against U.S. federal institutions. However, Hunker, who is writing a book about the subject due out soon, said he expects to see some type of cyberterrorist attack in the next five years. *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org Help C4I.org with a donation: http://www.c4i.org/contribute.html *==* _ ISN mailing list Sponsored by: OSVDB.org
[ISN] Network Card Theft Causes Internet Outage
http://www.eweek.com/article2/0,1759,1583347,00.asp By Sean Gallagher May 3, 2004 UPDATED: The theft of network cards from a Verizon central office in New York has caused some customers there to lose their Internet access. A handful of corporate customers were left without e-mail and Internet access Monday after the theft of networking equipment from a New York City office late Sunday. Law enforcement officials said four DS-3 cards were reported missing from a Manhattan co-location facility owned by Verizon Communications Inc. The theft at 240 E. 38th St. occurred just after 10:30 p.m. on Sunday and is being investigated by New York City Police and members of the joint terrorism task force, according to NYPD spokesman Lt. Brian Burke. The outage affected area customers of Sprint Corp., including Ziff Davis Media Inc., the publisher of eWEEK.com. "We found backup cards in the area," said Charles Fleckenstein, spokesman for Sprint in Overland Park, Kan. "All of the cards are now on site in New York. [They] are being installed at this moment." Service was being restored to customers as the cards were being installed, he said. Sprint officials said other ISPs were affected by the incident, but declined to identify them. Verizon spokesman Dan Diaz would not identify which providers were affected by the theft of the equipment. Diaz said no Verizon Internet customers were affected by the outage. Fleckenstein said that the outage was "not major," and not large enough to require a report to the Federal Communications Commission. In addition, no notice of the outage was posted to Sprint's Scheduled Maintenance and Outage page. Under FCC rules, phone carriers must report outages affecting more than 50,000 subscribers within two hours. Editor's Note: This story was updated with later information from Sprint. *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org Help C4I.org with a donation: http://www.c4i.org/contribute.html *==* _ ISN mailing list Sponsored by: OSVDB.org
[ISN] DHS, NSA team on cybersecurity
http://www.fcw.com/fcw/articles/2004/0426/web-nsa-04-27-04.asp By Frank Tiboni April 27, 2004 The National Security Agency and the Homeland Security Department will work together on educational initiatives to strengthen the country's computer infrastructure. On April 22, officials from NSA and DHS announced the formation of the National Centers of Academic Excellence in Information Assurance Education. It stems from NSA's Centers of Academic Excellence in Information Assurance Education Program, which started in 1998 and recognizes 50 universities in 26 states. "America is already reaping benefits from the current centers," said Daniel Wolf, director of NSA's Information Assurance Directorate, in a statement. "Graduates steeped in information assurance education are now entering the federal and greater American workforce. Those graduates, and graduates to come, are forming the cornerstone for America, taking cybersecurity to the very edges of the National Information Infrastructure and the Global Information Grid." The National Strategy to Secure Cyberspace, issued in 2002 by the Bush administration, directs the government to foster training and education programs that support computer security needs and responsibilities, and improve existing information assurance programs. Earlier this month, NSA officials announced they would hire 1,500 people by September and 1,500 employees each year for the next five years. Agency jobs include information technology and acquisition positions in addition to traditional code-making and code-breaking roles, according to an April 7 statement. *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org Help C4I.org with a donation: http://www.c4i.org/contribute.html *==* _ ISN mailing list Sponsored by: OSVDB.org
[ISN] In cyberwar game, US Army confronts enemies within
http://www.forbes.com/business/businesstech/newswire/2004/04/21/rtr1341011.html By Eric Auchard Reuters 04.21.04 WEST POINT, N.Y. (Reuters) - The mission: to secure an entire computer network for the United States and its allies against a vague enemy force. Hostile agents aim to wreak havoc on military plans, sabotaging databases, computer terminals and communications. But the cyber warriors planning a best defense aren't analysts hunkered down at the Pentagon. They are cadets at West Point competing against military academies and other schools in a four-day Cyber Defense Exercise this week. And the "enemy" isn't al Qaeda or Iraqi insurgents. It's a team led by none other than the National Security Agency. Cyber warfare, a subset of classic information war that goes back as far as ancient Chinese military strategist Sun Tzu, has pushed its way into U.S. military curricula as the Internet has become pervasive. "Anything hooked up to the Internet is vulnerable," said Emmanuel Eleyae, 22, a senior Army cadet from Chino, California, who is taking part in the war game. "I'm not really scared. I'm looking forward to the best exploits that the NSA can throw at us," said Eleyae, who, after graduating in May, is shipping out to officer training school, then off to a position with a U.S. armored unit in South Korea. Armchair information warfare theorists can check their attitudes at the door, event organizers say. The threats are more pedestrian, virtually speaking, the sort that many corporate network administrators must contend with every day. But in war, a cyber attack can leave armies fighting blind. Participants huddled around computers in this olive-green, camouflage-shrouded training room aren't too concerned with science fiction apocalypse scenarios. The cadets rely on widely available network defenses based on Linux software, the same automated tools in the arsenal of any company network manager. RULES OF THE GAME The NSA team, known as the "Red Cell," launches attacks on selected networks at the Air Force, Army, Coast Guard, Merchant Marine and Navy academies from an operations center somewhere in Maryland. The computer scenario plays out virtually inside the cadets' computers. Going on the offensive, or using so-called hackback techniques, is against competition rules. Also out-of-bounds are forms of sabotage in which computers can be turned into zombies and used to attack opponent machines with millions of data messages, shutting down communication. "This exercise is solely concerned with defending networks, not attacking them," said Maj. Ron Dodge, coach of the Army's 32-member team and a professor at the U.S. Military Academy at West Point. Security consultant Michael Erbschloe of Alexandria, Virginia, says the focus on vulnerability detection is the basis of all effective cyber defense. He estimates 99 percent of attacks exploit a few dozen known network weaknesses. "If you keep out 99 percent of those attacks, it's easier to guard against the 1 percent that make up the real threats to networks," said Erbschloe, author of "Information Warfare: How to Survive Cyber Attacks." The rules this year are designed to make the competition simulate more of a 24-hour operation, despite the reality that "Taps" still sounds at 2330 (11:30 p.m.) and cadets are required to be in bed with lights out by then. Overnight, the enemy can prey upon any network vulnerabilities with impunity. Army lost last year not because of a successful outside attack but from a self-inflicted wound in which an authorized network user accidentally knocked out service for several hours, costing precious points that helped Air Force prevail. Army cadets won the exercise during its first two years. *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org Help C4I.org with a donation: http://www.c4i.org/contribute.html *==* _ ISN mailing list Sponsored by: OSVDB.org
[ISN] Auditors working on cyber-risk standard
http://www.computerweekly.com/articles/article.asp?liArticleID=129851&liArticleTypeID=1&liCategoryID=2&liChannelID=22&liFlavourID=1&sSearch=&nPage=1 by Nick Huber 13 April 2004 Plans by an industry consortium to develop a checklist to assess cyber-threats could help IT directors justify security spending and help protect companies against hackers, according to IT directors and industry experts. The consortium, which includes the Big Four accountancy firms and US-based insurance giant AIG International, aims to agree a cyber-risk model that can be used by companies in all industries. Auditors and insurers could also use the risk preparedness index to help decide whether a company has adequate IT security arrangements. Although details of the framework have yet to be finalised - and the companies involved in the consortium have declined to comment further - security experts said it will focus on an organisation's IT security safeguards, such as its firewalls and anti-virus software, and compare this to the security threats it faces. IT directors welcomed the security initiative. "IT infrastructure risk management is of critical importance to the industry and Barclays broadly welcomes the principles behind this initiative," said Barclays Group chief technology officer Kevin Lloyd. "We will continue to monitor the development of this framework with interest," he said. Nick Leake, director of operations and infrastructure at ITV, said, "I think the real value of this approach is in sorting out the companies with dreadful levels of non-compliance/operation from those with high levels. It will not be much use in distinguishing the better of two already very compliant operations. "And as with all these things, it will have to be kept up-to date," he said. Industry experts said a model for measuring security risk would be a breakthrough if it was widely adopted. The model would also help IT departments justify security spending. "The new security standard looks promising, although a lot of the devil will be in the detail," said Graham Titterington, principal analyst at Ovum. "It will make it easier for people to justify spending on IT security because the backers of the standard are blue chip companies, which gives it credibility with the board." Current standards for information security, such as BS7799, do not focus primarily on assessing security risks to a business, Titterington added. Neil Barrett, technical director of security consultancy Information Risk Management, said the security model would allow IT directors to measure their organisations' security arrangements against a benchmark. *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org Help C4I.org with a donation: http://www.c4i.org/contribute.html *==* _ ISN mailing list Sponsored by: OSVDB.org
[ISN] Arrests key win for NSA hackers
http://www.globetechnology.com/servlet/story/RTGAM.20040406.gtterror06/BNStory/Technology/ By DAVID AKIN Globe and Mail Update Apr. 6, 2004 A computer hacker who allowed himself to be publicly identified only as ''Mudhen'' once boasted at a Las Vegas conference that he could disable a Chinese satellite with nothing but his laptop computer and a cellphone. The others took him at his word, because Mudhen worked at the Puzzle Palace -- the nickname of the U.S. National Security Agency facility at Fort Meade, Md., which houses the world's most powerful and sophisticated electronic eavesdropping and anti-terrorism systems. It was these systems, plus an army of cryptographers, chaos theorists, mathematicians and computer scientists, that may have pulled in the first piece of evidence that led Canadian authorities to arrest an Ottawa man on terrorism charges last week. Citing anonymous sources in the British intelligence community, The Sunday Times reported that an e-mail message intercepted by NSA spies precipitated a massive investigation by intelligence officials in several countries that culminated in the arrest of nine men in Britain and one in suburban Orleans, Ont. -- 24-year-old software developer Mohammed Momin Khawaja, who has since been charged with facilitating a terrorist act and being part of a terrorist group. The Orleans arrest is considered an operational milestone for this vast electronic eavesdropping network and its operators. But Dave Farber, an Internet pioneer and computer-science professor at Carnegie-Mellon University in Pittsburgh, said the circumstances are also notable because it will be the first time that routine U.S. monitoring of e-mail traffic has led to an arrest. "That's the first admission I've actually seen that they actually monitor Internet traffic. I assumed they did, but no one ever admitted it," Mr. Farber said. Officials at the NSA could not be reached for comment. But U.S. authorities are uniquely positioned to monitor international Internet and telecommunications traffic because many of the world's international gateways are located in their country. And once that electronic traffic touches an American computer -- an e-mail message, a request for a website or an Internet-based phone call, for instance -- it is routinely monitored by NSA spies. "Foreign traffic that comes through the U.S. is subject to U.S. laws, and the NSA has a perfect right to monitor all Internet traffic," said Mr. Farber, who has also been a technical adviser to the U.S. Federal Communications Commission. That's what happened in February, when NSA officers at Fort Meade intercepted a message between correspondents in Britain and Pakistan, The Sunday Times reported. The contents of that message have not been revealed, but are significant enough that dozens of intelligence officials were mobilized in Britain, Canada and the United States. The intelligence officers at Fort Meade rely on a sophisticated suite of supercomputers and telecommunications equipment to analyze millions of messages and phone calls each day, looking for certain keywords or traffic patterns. Internet traffic is chopped up into small chunks called packets, and each individual package is then routed over the Internet, to be reassembled at the recipient's end. The packet is wrapped in what computer scientists sometimes refer to as the envelope. And just as the exterior of a regular piece of mail contains important addressing information, so does the envelope of a digitized packet. These bits of information are called headers, and they can be valuable to investigators as well. Headers typically contain generic descriptions of the packet's contents, in order to let computers make better decisions about how to route the packet through the Internet. E-mail traffic gets a lower priority than Internet video traffic, for instance. Headers also pick up the numeric or Internet Protocol (IP) address of all the computers a packet touches as it travels from its originating machine all the way to its destination. Every computerized device connected to the Internet has its own unique IP number. Investigators could program their supercomputers to flag packets of information that met certain criteria, such as a certain IP number, a certain traffic pattern or a certain kind of content. As soon as a packet is flagged, investigators would apply for warrants to assemble the packets and read the messages' contents. *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org Help C4I.org with a donation: http://www.c4i.org/contribute.html *=
[ISN] Secret hackers to aid war on internet fraud
http://www.timesonline.co.uk/article/0,,5-1063208,00.html April 05, 2004 By Joe Morgan FEARS that small online retailers are the weakest link in the fight against internet fraud have prompted MasterCard, the global payment scheme group, to set up secret teams of hackers to test security systems in the sector. The Times has learnt that the project, named Site Data Protection (SDP), will go live in May and will target online outlets that fail to comply with appropriate levels of internet security. SDP teams will be recruited by the banks that have relationships with online merchants whose systems do not come up to scratch. Brian Morris, head of e-business solutions at MasterCard, said that while large online retailers had robust internet security systems, small and medium-size enterprises (SMEs) "could benefit from the assistance". Organised criminal gangs are increasingly hacking into the systems of online retailers and stealing subscribers' credit card and personal details. The information can then be used to commit "card-not-present fraud" - fraudulent buying of goods and services from a remote location, usually by phone or via the internet. Card-not-present fraud is thought to be one of the world's fastest growing crimes. Stolen personal details have also been used by gangs to commit "phishing", sending fake e-mails purporting to be from a bank or retailer to cardholders to trick them into revealing bank account details. MBNA and Barclays were recently victims of phishing. Mr Morris said: "This initiative will help a lot of merchants. Websites will be tested to see if firewalls are secure enough and backdoor and trapdoor areas are not susceptible to hackers. We will also test all routes in and out of sites." He said that the cost of the services would be determined by the banks. Medium-size retailers' exposure to fraud could also rise dramatically following this year's nationwide roll out of chip and PIN, a new anti-fraud initiative pioneered by the banks. While large retailers benefit from economies of scale in upgrading to the new checkout terminals, where customers pay using a four-digit number, smaller businesses find the costs a heavy burden *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org Help C4I.org with a donation: http://www.c4i.org/contribute.html *==* ___ ISN mailing list [EMAIL PROTECTED] http://www.attrition.org/mailman/listinfo/isn
Re: [ISN] Mutating software could predict hacker attacks (Two messages)
Forwarded from: Dave Close <[EMAIL PROTECTED]> > But now software engineers at Icosystem in Cambridge, Massachusetts, > have developed a program that can predict what is coming next by > "evolving" future hacker and virus attacks based on information from > known ones. Isn't it obvious to anyone besides me that any such tool would be just as useful to malware writers as to good guys? In fact, aren't some of the malware mutations just such minor modifications? But if a malware writer could incorporate such technology in the malware itself, he'd have a self-mutating virus and anti-virus software would be useless. I trust Icosystem is being very careful, but even publicizing the idea can have consequences. And I have no doubt that the code itself will eventually become available to those who might want it. -- Dave Close, Compata, Costa Mesa CA +1 714 434 7359 [EMAIL PROTECTED] [EMAIL PROTECTED] "No woman in my time will be Prime Minister." -- Margaret Thatcher, 1969 -=- Forwarded from: [EMAIL PROTECTED] I don't know what kind of firewall they use, but I know that our Cisco Velociraptor does more than protect against "known attacks." Is this a case of FUD or this a case of someone not really knowing what the hell they're talking about or just trying to capitalize on ignorance to sell their product? Regards, CJ Lamb http://www.newscientist.com/news/news.jsp?id=ns4588 25 January 04 Novel computer viruses and worms can sweep the world within hours, leaving a trail of devastation, because firewalls and antiviral software work by identifying the telltale signatures of known attacks. They are useless against anything completely new. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] The Farewell Dossier
Forwarded from: Anonymous @ c4i.org http://www.nytimes.com/2004/02/02/opinion/02SAFI.html By WILLIAM SAFIRE February 2, 2004 WASHINGTON - Intelligence shortcomings, as we see, have a thousand fathers; secret intelligence triumphs are orphans. Here is the unremarked story of "the Farewell dossier": how a C.I.A. campaign of computer sabotage resulting in a huge explosion in Siberia - all engineered by a mild-mannered economist named Gus Weiss - helped us win the cold war. Weiss worked down the hall from me in the Nixon administration. In early 1974, he wrote a report on Soviet advances in technology through purchasing and copying that led the beleaguered president - détente notwithstanding - to place restrictions on the export of computers and software to the U.S.S.R. Seven years later, we learned how the K.G.B. responded. I was writing a series of hard-line columns denouncing the financial backing being given Moscow by Germany and Britain for a major natural gas pipeline from Siberia to Europe. That project would give control of European energy supplies to the Communists, as well as generate $8 billion a year to support Soviet computer and satellite research. President François Mitterrand of France also opposed the gas pipeline. He took President Reagan aside at a conference in Ottawa on July 19, 1981, to reveal that France had recruited a key K.G.B. officer in Moscow Center. Col. Vladimir Vetrov provided what French intelligence called the Farewell dossier. It contained documents from the K.G.B. Technology Directorate showing how the Soviets were systematically stealing or secretly buying through third parties - the radar, machine tools and semiconductors to keep the Russians nearly competitive with U.S. military-industrial strength through the 70's. In effect, the U.S. was in an arms race with itself. Reagan passed this on to William J. Casey, his director of central intelligence, now remembered only for the Iran-contra fiasco. Casey called in Weiss, then working with Thomas C. Reed on the staff of the National Security Council. After studying the list of hundreds of Soviet agents and purchasers (including one cosmonaut) assigned to this penetration in the U.S. and Japan, Weiss counseled against deportation. Instead, according to Reed - a former Air Force secretary whose fascinating cold war book, "At the Abyss," will be published by Random House next month - Weiss said: "Why not help the Soviets with their shopping? Now that we know what they want, we can help them get it." The catch: computer chips would be designed to pass Soviet quality tests and then to fail in operation. In our complex disinformation scheme, deliberately flawed designs for stealth technology and space defense sent Russian scientists down paths that wasted time and money. The technology topping the Soviets' wish list was for computer control systems to automate the operation of the new trans-Siberian gas pipeline. When we turned down their overt purchase order, the K.G.B. sent a covert agent into a Canadian company to steal the software; tipped off by Farewell, we added what geeks call a "Trojan Horse" to the pirated product. "The pipeline software that was to run the pumps, turbines and valves was programmed to go haywire," writes Reed, "to reset pump speeds and valve settings to produce pressures far beyond those acceptable to the pipeline joints and welds. The result was the most monumental non-nuclear explosion and fire ever seen from space." Our Norad monitors feared a nuclear detonation, but satellites that would have picked up its electromagnetic pulse were silent. That mystified many in the White House, but "Gus Weiss came down the hall to tell his fellow NSC staffers not to worry. It took him another twenty years to tell me why." Farewell stayed secret because the blast in June 1982, estimated at three kilotons, took place in the Siberian wilderness, with no casualties known. Nor was the red-faced K.G.B. about to complain publicly about being tricked by bogus technology. But all the software it had stolen for years was suddenly suspect, which stopped or delayed the work of thousands of worried Russian technicians and scientists. Vetrov was caught and executed in 1983. A year later, Bill Casey ordered the K.G.B. collection network rolled up, closing the Farewell dossier. Gus Weiss died from a fall a few months ago. Now is a time to remember that sometimes our spooks get it right in a big way. E-mail: [EMAIL PROTECTED] - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Microsoft Patches Serious IE Flaw
http://www.eweek.com/article2/0,4149,1485698,00.asp By Dennis Fisher February 2, 2004 Microsoft Corp. on Monday finally released a patch for a dangerous vulnerability that lets attackers trick Internet users into visiting malicious sites. The flaw has been public knowledge for some time, but Microsoft failed to include a fix for it with January's scheduled patch releases. The vulnerability has to do with the way IE parses URLs, specifically those that contain special characters. Using this weakness, an attacker can create a link that looks like it will send a user to a legitimate site, such as www.eweek.com. However, once the user clicks on the link, the attacker can cause content from another site to appear in the window. Microsoft typically releases security fixes on the second Tuesday of each month. But the seriousness of this vulnerability caused the company to publish this patch out of cycle. The company also released patches for two other flaws in IE Monday. One of the vulnerability is in the cross-domain security model in IE, which is supposed to keep windows in different domains from sharing data. But this weakness allows an attacker to run scripts on remote machines if he can force the user to visit a malicious Web site or open an HTML e-mail message. The other weakness involves dynamic HTML operations and allows an attacker to save a file on a target user's machine. The file would not execute automatically. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] UK teen escapes jail in nuclear lab hack case
http://www.theregister.co.uk/content/55/35280.html By John Leyden Posted: 02/02/2004 A UK teenager who admits breaking into the network of Fermilab, a US high-energy physics research lab has escaped imprisonment. Joseph McElroy, 18, from Woodford Green in East London, was today sentenced to 200 hours community service at a hearing at Southwark Crown Court this afternoon. Passing sentence, Judge Goymer told McElroy: "You have only just escaped prison." People found guilty of similar offences in the future would not be so fortunate, he said. Fermilab had pressed for £21,215 compensation from McElroy, but he escaped a fine, on the grounds that he had no means to pay. McElroy pleaded guilty to hacking into 17 computers at the Fermi National Accelerator Laboratory in June 2002 at a hearing at Bow Street Magistrates' Court last October. His actions contravened the UK's Computer Misuse Act. McElroy's escapades was described by the prosecution as the low-end of hacking. And the Crown accepted that the youth had no malicious intent. But his actions had serious consequences, even though his objective was only to use the lab's network to download films and music from the Net. The lab's computer systems had to be shut down for three days once the intrusion - which triggered a full-scale alert - was discovered. Fermi Lab is run by the US Department of Energy. It was quickly established that classified systems were not accessed, but the authorities pressed ahead with a prosecution. US investigators tracked the intrusion to the UK before passing the case over to Scotland Yard's Computer Crime Unit; it in turn tracked McElroy to his parent's home in east London. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] InfoSec News List Information
http://www.c4i.org/isn.html InfoSec News is a privately run, medium traffic list that caters to the distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. To subscribe to ISN, send mail to [EMAIL PROTECTED] with "subscribe isn" in the BODY of the mail. To unsubscribe to ISN, send mail to [EMAIL PROTECTED] with "unsubscribe isn" in the BODY of the mail. The subject line will always contain the title of the article, so that you may quickly and effeciently filter past the articles of no interest. This list will contain: Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. Information on where to obtain articles in current magazines. Security Book reviews and information. Security conference/seminar information. New security product information. And anything else that comes to mind.. Feedback is encouraged. The list maintainers would like to hear what you think of the list, What could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Anonymous feedback is welcome. Please DO NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as 75+ returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). This is not a whim! Other moderaters have begun to do the same. Special thanks to the following for continued contribution: William Knowles, Will Spencer, Jay Dyson, Emerson Tan, Nicholas Brawn, Felix von Leitner, Robert G. Ferrell, Eric Wolbrom, Brian Martin, Marjorie Simmons, Richard Forno Darren Reed, Robert Slade, Attrition.org, Curiosity.org and several other contributers. InfoSec News Archives: http://www.landfield.com/isn http://lists.jammed.com/ISN/ http://lists.insecure.org/isn/ http://cert.uni-stuttgart.de/archive/isn/ http://online.securityfocus.com/archive/12 http://marc.theaimsgroup.com/?l=isn&r=1&w=2 http://archives.neohapsis.com/archives/isn/ InfoSec News is Moderated by William Knowles wk(at)c4i.org. ISN is a private list. Moderation of topics, member subscription, and everything else about the list is solely at his discretion. The InfoSec News membership list is NOT available for sale or disclosure. InfoSec News is a non-profit list. Sponsors [1] are only donating to cover bandwidth and server costs. [1] http://www.c4i.org/contribute.html - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] MyDoom sparks talks of security's future
http://news.com.com/2100-7349_3-5152165.html By Robert Lemos Staff Writer, CNET News.com February 2, 2004 The virus, which has combined many old attack techniques into a successful package, was hardly blunted by antivirus programs during the first few hours of its exponential spread. That's a problem, said Shlomo Touboul, CEO of security software maker Finjan Software. "The MyDoom attack should never have propagated so far into the Internet," he said. "It is obvious that we need another layer (of software) to protect during the first hours of attack." Despite a deep understanding of how such viruses spread, security experts seem to be at a loss at how to stop them. Popular antivirus technology is generally ineffectual against many of the attacks until an update is downloaded by the user. Moreover, even though antivirus software is the most popular security technology in use--about 99 percent of corporations use it, according to the Computer Security Institute--many home users still don't use the software. "Many people don't even have the software," said Bruce Schneier, chief technology officer for Counterpane Internet Security. "And for those that do, the first few hours of an epidemic is a race against time." MyDoom spread through e-mail a week ago, infecting a new computer every time an unwary user opened the attached filed containing the program. As many as 2 million computers may have been infected. The original virus was programmed to attack The SCO Group's Web site last Sunday, while a variant is scheduled to target Microsoft on Tuesday. E-mail service provider MessageLabs has quarantined more than 17 million e-mail messages in a week, said Alex Shipp, senior antivirus technologist for the company. From data captured early in the epidemic, MessageLabs says that for every Internet address with an infected PC behind it, eight e-mails are sent, on average, to one of the company's customers. However, even though companies are still seeing massive quantities of e-mail messages bearing the MyDoom virus, the spread has slowed, stressed Shipp. "I don't think that there are going to be many more people who are left to get infected," he said. "It has gotten most of the available pool of (unwary) people to open it." The rapid spread opens new questions about how users and companies should defend themselves against the next virus. New software may not be the solution, Counterpane's Schneier said. Instead, the balance between usability and security may have to be re-evaluated. "It's a fundamental question," he said. "Is the ability to execute attachments from Outlook a feature or a bug? I think it is a bug." Unless such threats are dealt with, many more computers connected to the Internet may be compromised. While MyDoom infects PCs and turns them into platforms from which to attack other PCs and to send spam, other attacks could be possible and even more devastating, said Paul Mockapetris, chairman and chief scientist for Internet technology firm Nominum. "People should anticipate that (the attacker) is going to point these hacked PCs at other sites--that's coming," he said. "What's going to be the security of all Web sites if those attacks get more prevalent?" Already, SCO is feeling the pain. The company's Web site is the primary denial-of-service target of PCs infected with the original version of the MyDoom virus. At 8:09 PST on Sunday morning, infected PCs were programmed to deluge the site with data. The attack, which effectively shuts down a site by flooding it with a deluge of information, is hard to stop, said Blake Stowell, a spokesman for SCO. "You have to try and think creatively about how to solve the problem," he said. "Is it something that you have to throw money at it or to think creatively and come up with a technical solution?" After trying to keep its site up, SCO took its address out of the domain name system, the global yellow pages for the Internet. It's now referring people to a new Web site. The same thing could happen to Microsoft's main Web site, starting Tuesday. A second variant of the MyDoom virus, which has hasn't spread as far as the original, will begin sending data to the software giant's site. Microsoft would not comment Monday on its defenses, except to say that the company had prepared for the attack. Other security experts believed Microsoft would fare better than SCO. "It just goes to show what possibilities exist out there," said Vincent Gullotto, vice president of antivirus research for security company Network Associates. "When this was supposed to happen to Microsoft last year, I think they dealt with it in a more effective manner." - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Linux Security Week - February 2nd 2004
+-+ | LinuxSecurity.comWeekly Newsletter | | February 2nd, 2004 Volume 5, Number 5n | | | | Editorial Team: Dave Wreski [EMAIL PROTECTED]| | Benjamin Thomas [EMAIL PROTECTED] | +-+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "Identity Based Encryption," "Securing Linux Systems With Host-Based Firewalls Implemented With Linux iptables," and "Introduction to OpenVPN." >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- LINUX ADVISORY WATCH: This week, advisories were released for gnupg, trr19, slocate, screen, mod_python, gaim, jabber, mc, and tcpdump. The distributors include Debian, Fedora, Gentoo, Mandrake, Red Hat, Slackware, and SuSE. http://www.linuxsecurity.com/articles/forums_article-8837.html Introduction to Netwox and Interview with Creator Laurent Constantin In this article Duane Dunston gives a brief introduction to Netwox, a combination of over 130 network auditing tools. Also, Duane interviews Laurent Constantin, the creator of Netwox. http://www.linuxsecurity.com/feature_stories/feature_story-158.html CONCERNED ABOUT THE NEXT THREAT? EnGarde is the undisputed winner! Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing Editor's Choice Award, EnGarde "walked away with our Editor's Choice award thanks to the depth of its security strategy..." Find out what the other Linux vendors are not telling you. http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2 Managing Linux Security Effectively in 2004 This article examines the process of proper Linux security management in 2004. First, a system should be hardened and patched. Next, a security routine should be established to ensure that all new vulnerabilities are addressed. Linux security should be treated as an evolving process. http://www.linuxsecurity.com/feature_stories/feature_story-157.html --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +-+ | Host Security News: | <<-[ Articles This Week ]- +-+ * Secure Web Based Mail Services January 29th, 2004 What do field sales people, home teleworkers, medical personnel, and any one working remotely from a central site have in common? A need for up to the minute information. One of the most successful models for using the Internet for business is the information dissemination model. http://www.linuxsecurity.com/articles/documentation_article-8834.html * Identity Based Encryption January 28th, 2004 For years the undisputed "best of breed" technologies for enterprise email encryption were Secure MIME (S/MIME) or PGP. Support for S/MIME has been built into popular email clients, going back nearly a decade. Originally considered the tool of the hacker elite, PGP has evolved into highly effective enterprise tool, usable by mere mortals. http://www.linuxsecurity.com/articles/cryptography_article-8825.html * Updated: Linux Security HOWTO January 27th, 2004 This document is a general overview of security issues that face the administrator of Linux systems. It covers general security philosophy and a number of specific examples of how to better secure your Linux system from intruders. Also included are pointers to security-related material and programs. http://www.linuxsecurity.com/articles/documentation_article-8823.html ++ | Network Security News: | ++ * Securing Linux Systems With Host-Based Firewalls Implemented With Linux iptables January 30th, 2004 This article provides information and recommendations for securing Linux operating systems with host-based firewalls. This article aims to provide readers with a template for constructing a host-based firewall that provides a useful layer of protection against the risks of exposing a system to internal and/or external users. http://www.linuxsecurity.com/articles/firewalls_article-8836.html * Zaurus Security Tools January 27th, 2004
[ISN] CFP - RAID 2004 - Call for Papers
Forwarded from: Yves Roudier <[EMAIL PROTECTED]> CALL FOR PAPERS RAID 2004 "Intrusion Detection and Society" Seventh International Symposium on Recent Advances in Intrusion Detection Institut Eurécom, Sophia-Antipolis, French Riviera, France September 15-17, 2004 http://raid04.eurecom.fr RAID 2004 will be collocated with ESORICS 2004 This symposium, the seventh in an annual series, brings together leading researchers and practitioners from academia, government, and industry to discuss intrusion detection technologies and issues from the research and commercial perspectives. The RAID International Symposium series is intended to further advances in intrusion detection by promoting the exchange of ideas in a broad range of topics. For RAID 2004 there is a special theme: the interdependence between intrusion detection and society. Thus, we will also welcome papers that address issues that arise when studying intrusion detection, including information gathering and monitoring, as a part of a larger, not necessarily purely technical, perspective. For example, the implication of information gathering and detection technologies on enterprises, organisations and authorities, as well as legislative and governing bodies is within scope, but also the impact and restrictions from those bodies on the design and technology. This would include issues such as privacy, risk and emergency management, crisis management, security policies, standardisation and legal issues. An increasingly important dynamic is the strategic importance of protecting national information infrastructures, which is in some tension with the fact that much of this infrastructure is in the private sector. Related to this is the potential strategic impact of attacks at the intersection of information and physical infrastructure. The RAID 2004 program committee invites three types of submissions: - Full papers presenting mature research results. Papers accepted for presentation at the Symposium will be included in the RAID 2004 proceedings published by Springer Verlag in its Lecture Notes in Computer Science (LNCS) series. Full papers are limited to 20 pages when formatted according to the instructions provided by Springer Verlag. Papers must include an abstract and a list of keywords. - Practical experience reports describing a valuable experience or a case study, such as the design and deployment of a system or actual experience from intrusion detection or network monitoring. These reports are reviewed differently from full papers and do not necessarily include fundamental scientific contributions or new research ideas. Practical experience reports are limited to 12 pages when formatted according to the instructions provided by Springer Verlag. They must include an abstract and a list of keywords. - Panel proposals for presenting and discussing hot topics in the field of intrusion detection systems. The panel proposals should include both an outline of the format of the panel and a short rationale for the panel. Panels that include time for general discussion and questions/answers between the panelists and the Symposium attendees are preferred. All topics related to Intrusion Detection Systems and Technologies are within scope, including their design, use and maintenance, integration, correlation and self-protection, just to mention a few. With reference to this year's theme and extended scope we also invite papers on the following topics, which may not be in the mainstream of intrusion detection: Risk assessment and risk management Intrusion tolerance Deception systems and honeypots Privacy aspects Data mining techniques Visualization techniques Cognitive approaches Biological approaches Self-learning Case studies Legal issues Critical infrastucture protection (CIP) ORGANIZING COMMITTEE General Chair: Refik Molva <[EMAIL PROTECTED]> Program Chairs:Erland Jonsson <[EMAIL PROTECTED]> Alfonso Valdes <[EMAIL PROTECTED]> Publication Chair: Magnus Almgren <[EMAIL PROTECTED]> Publicity Chair: Yves Roudier <[EMAIL PROTECTED]> Sponsor Chair: Marc Dacier <[EMAIL PROTECTED]> PROGRAM COMMITTEE Tatsuya Baba (NTT Data, Japan) Lee Badger (DARPA, USA) Sungdeok Cha (KAIST, Korea) Steven Cheung (SRI International, USA) Herve Debar (France Telecom R&D, France) Simone Fischer-Hübner (Karlstad University, Sweden) Steven Furnell (University of Plymouth, UK) Bill Hutchinson (Edith Cowan University, Australia) Dogan Kesdogan (RWTH Aachen, Germany) Chris Kruegel (UCSB, USA) Håkan Kvarnström (TeliaSonera R&D, Sweden) Wenke Lee (Georgia Tech, USA) Roy Maxion (Carnegie Mellon University, USA) John McHugh (CMU/S
[ISN] Mutating software could predict hacker attacks
http://www.newscientist.com/news/news.jsp?id=ns4588 25 January 04 Novel computer viruses and worms can sweep the world within hours, leaving a trail of devastation, because firewalls and antiviral software work by identifying the telltale signatures of known attacks. They are useless against anything completely new. But now software engineers at Icosystem in Cambridge, Massachusetts, have developed a program that can predict what is coming next by "evolving" future hacker and virus attacks based on information from known ones. The company is testing the technique with the help of the US Army's Computer Crimes Investigation Command in Fort Belvoir, Virginia. The idea would be to generate these novel attack strategies centrally, then remotely update the intrusion-detection software protecting PCs and networks around the world. This would allow them to recognise attack patterns before hackers have even developed them. The first version of the system is geared to predict hacking - though the technique is equally applicable to viruses. It works by mutating the short programs or "scripts" that hackers use to invade computers or which they plant on them for later activation. The result is artificially created hacking routines that security systems could be taught to recognise, allowing them to defend networks against previously unseen attacks. Self destruct Most attacks target well-known bugs in commercial web server software. By sending packets of data designed to exploit these flaws, an attacker can gain remote control over a computer or force it to do something self-destructive, like crashing after a certain number of keystrokes. To defend against such attacks, today's computer networks use software that analyses traffic for signs of malicious activity. For instance, the arrival of data packets at an unusual input port may be a sign that a hacker is trying to flood a section of memory with oversized files in order to overwrite working memory and corrupt data. But the attack may be modified in some way to confuse such defences - perhaps by combining a number of different attack routines. What is needed is an intrusion detector that can predict hackers' future strategies. And that is what Icosystem claims to have developed. Its attack prediction system takes known hacking software and systematically mutates it to find the most deadly permutations. The mutations are kept simple so that the code still runs - there is no point in random mutations that render the software useless. [...] - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] UGA students notified of personal info compromise
http://www.usatoday.com/tech/news/computersecurity/2004-02-01-uga-id-hack_x.htm 2/1/2004 ATHENS, Ga. (AP) - The University of Georgia has notified 27,000 students via e-mail that a hacker may have accessed their personal information through a school computer server and plans to alert more than 4,000 students via U.S. mail. University officials were unable to contact those students electronically because they had invalid e-mail addresses, said UGA spokesman Tom Jackson. UGA officials discovered the breach on Jan. 20 when they learned the server was probing other computers, domestic and foreign. The server was taken offline the same day. Housed on the server are records for every student who applied for undergraduate admission to UGA since August 2002, totaling about 31,000 people. No one so far has complained that their information, which includes Social Security and credit card numbers, has been used, Jackson said. Jackson said students who applied after Jan. 20 will not be affected. Monday is the deadline to apply for fall 2004 admission. The Georgia Bureau of Investigation is working with the Federal Bureau of Investigation and UGA officials to determine the source of the breach. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] IT Losing Ground in Virus Battle
http://www.eweek.com/article2/0,4149,1484760,00.asp By Dennis Fisher February 2, 2004 After years of success deploying more effective and smarter defenses, anti-virus researchers contacted last week in the wake of the MyDoom outbreak acknowledged for one of the first times that the battle may be getting away from them. The MyDoom virus, which hit Jan. 26 and infected several-hundred-thousand machines, is the fastest-spreading virus in the history of the Internet, experts said. At its peak late last week, MyDoom had infected one in every 12 pieces of e-mail, according to MessageLabs Inc., a New York-based e-mail security company. MyDoom also is the latest in a line of recent viruses that, while not particularly innovative, have been maddeningly effective. Anti-virus software is an inherently reactive technology, leaving users as the first line of defense against new viruses. But despite endless admonishments to refrain from opening e-mail attachments, whether from home or work, many users continue to be fooled. In fact, whereas most viruses start from home PCs, MyDoom began from inside a corporate network. "There are a lot of Fortune 100 companies infected," said David Perry, global director of education at Trend Micro Inc., in Cupertino, Calif. "There's nothing entertaining about this." Social engineering tactics such as MyDoom's disguising itself as a returned or rejected e-mail message make it harder for users to distinguish legitimate messages from infected ones. "[The virus writer] obfuscated the message to the point where it was alluring. The innovation coming out of these guys is slim," said Ian Hameroff, eTrust security strategist at Computer Associates International Inc., in Islandia, N.Y. Virus writers are now loading their creations with extras such as back doors, mail proxies for relaying spam and keystroke loggers for stealing passwords. As a result, they're guaranteed that the viruses will continue to do damage after they've been removed from a computer. By the end of last week, Symantec Corp. sensors were seeing as many as 2,000 unique machines scanning for PCs listening on port 3217, which is used by the back door MyDoom installs. All this has left many in the industry wondering when the tide will turn. Much of the problem, experts say, is that security still does not get the attention it deserves inside enterprises. "I think [that executives] are aware that something needs to be done but not what," said Karen Worstell, chief security officer at AT&T Wireless Services Inc., in Redmond, Wash. "We have to tell them that it's not paranoia. It's good sense." Dan Geer, principal scientist at Verdasys Inc., said in his keynote at the Black Hat Briefings conference here that he believes it's time for a kind of Centers for Disease Control and Prevention for the Internet. But to work properly, the center would need real-time data from across the Internet, which would require victims to report what's happened to them, something that is exceedingly rare right now. For some companies, educating executives and other employees about security issues and best practices has been just as important as any piece of technology for improving security. Premera Blue Cross, a health care company in Mountlake Terrace, Wash., requires that every employee go through a 90-minute training session on security and sends out regular e-mail flashes reminding workers of policies and procedures and warning of new threats. "We want everyone to know about security. The average top executive doesn't understand security, but we have to change that," said Allen Kerr, vice president of IT infrastructure and information security officer at Premera. "Security is an imperative. It's no longer just a good idea." - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] DARPA-funded Linux security hub withers
http://www.theregister.co.uk/content/55/35262.html By Kevin Poulsen SecurityFocus Posted: 01/02/2004 Two years after its hopeful launch, a U.S.-backed research project aimed at drawing skilled eyeballs to the thankless task of open-source security auditing is prepared to throw in the towel. Initially funded by a research grant from the Pentagon's Defense Advanced Research Projects Agency (DARPA), the Sardonix project aspired to replace the loosely-structured Linux security review process with a public website that meticulously tracks which code has been audited for security holes, and by whom. As conceived by Oregon-based computer scientist Crispin Cowan, Sardonix was to attract volunteer auditors by automatically ranking them according to the amount of code they've examined, and the number of security holes they've found. Auditors would lose points if a subsequent audit by someone else turned up bugs they missed. Cowen hoped that the system would produce the same cocktail of goodwill and computer-judged competition that fuels other successful geeky endeavors, from the distributed computing effort that recognizes top producers in the search for new prime numbers, to the "karma" points awarded highly-rated posters on the news-for-nerds site Slashdot. In the end, though, nobody showed up. "I got a great deal of participation from people who had opinions on how the studliness ranking should work, and then squat from anybody actually reviewing code," says Cowan, chief research scientist at WireX Communications. The project's DARPA funding ran out nine months ago, and the website lingers as a mostly-abandoned husk. The only code audits on the site were performed by a handful of graduate students directed to the task by David Wagner, a computer science professor at U.C. Berkeley. Cowen believes Sardonix was a casualty of security community culture, which he says rewards researchers who find clever or splashy holes in a program, but not for making software more secure. "The Bugtraq model is: find a bug, win a prize -- a modest amount of fame," says Cowen. "Our model is: review a whole body of code, eventually finding no bugs, and receive a deeper level of appreciation from people who use the code. "It seems the Sardonix lesson is people don't want to play this game, they want to play the Bugtraq game." - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] MyDoom.B Rapidly Spreading
Forwarded from: Tcat Houser <[EMAIL PROTECTED]> http://www.emergencyemail.org/cyber1.asp This information obtained from... The U. S. Department of Homeland Security US Computer Emergency Readiness Team MyDoom.B Rapidly Spreading Mydoom.B is a new variant of the Mydoom worm and is about 29,184 bytes. This variant attempts to perform a Distributed Denial of Service (DDoS) attack against Microsoft.com. Details regarding this new worm are still emerging, but it has been validated as spreading in the wild. Facts about the worm will be further qualified with follow up reports following this initial analysis. < Once activated, this virus will overwrite the HOSTS file located at %WINDIR%\system32\drivers\etc\hosts. At least one version of this worm has been observed to write the following data to this file 127.0.0.1 localhost localhost.localdomain local lo 0.0.0.0 0.0.0.0 0.0.0.0 engine.awaps.net awaps.net www.awaps.netad.doubleclick.net 0.0.0.0 spd.atdmt.com atdmt.com click.atdmt.com clicks.atdmt.com 0.0.0.0 media.fastclick.net fastclick.net www.fastclick.net ad.fastclick.net 0.0.0.0 ads.fastclick.net banner.fastclick.net banners.fastclick.net 0.0.0.0 www.sophos.com sophos.com ftp.sophos.com f-secure.com www.f-secure.com 0.0.0.0 ftp.f-secure.com securityresponse.symantec.com 0.0.0.0 www.symantec.com symantec.com service1.symantec.com 0.0.0.0 liveupdate.symantec.com update.symantec.com updates.symantec.com 0.0.0.0 support.microsoft.com downloads.microsoft.com 0.0.0.0 download.microsoft.com windowsupdate.microsoft.com 0.0.0.0 office.microsoft.com msdn.microsoft.com go.microsoft.com 0.0.0.0 nai.com www.nai.com vil.nai.com secure.nai.com www.networkassociates.com 0.0.0.0 networkassociates.com avp.ru www.avp.ru www.kaspersky.ru 0.0.0.0 www.viruslist.ru viruslist.ru avp.ch www.avp.ch www.avp.com 0.0.0.0 avp.com us.mcafee.com mcafee.com www.mcafee.com dispatch.mcafee.com 0.0.0.0 download.mcafee.com mast.mcafee.com www.trendmicro.com 0.0.0.0 www3.ca.com ca.com www.ca.com www.my-etrust.com 0.0.0.0 my-etrust.com ar.atwola.com phx.corporate-ir.net This will have the effect of making these sites unreachable for any application that uses domain names, including most anti-virus update programs, electronic mail, HTTP, and FTP. [...] - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Security Maven Calls for Internet 'Disease Control' Agency
http://www.eweek.com/article2/0,4149,1474670,00.asp By Dennis Fisher January 29, 2004 SEATTLE - The dominance of Windows in the marketplace continues to represent a threat to the safety and security of the Internet and is a problem that must be addressed at the highest levels of government, a noted security researcher said in his keynote speech at the Black Hat Windows conference here Thursday. Dan Geer, one of the authors of last year's controversial paper on the subject of the Windows monoculture on the Internet, said that the assertions in the paper and his speech are not new and are beginning to draw the attention of legislators and government officials in the United States and abroad. "This wasn't a shot out of the dark. It's not a new idea, even though in some sense I got fired publicly because I said this," said Geer, who was fired as the chief technology officer of security consultancy @stake Inc. following the paper's publication. "This is a problem that demands attention on the national government scale and maybe the world scale. It is an idea whose time has come." Geer, who is now heading his own risk management firm and is also chief scientist at security vendor Verdasys Inc., said that Windows' dominance is only part of a complex equation that has led to this state of affairs. Also contributing to the problem is the relative lack of skill of most PC users and the number of current vulnerabilities in Windows. To combat the combination of these issues, Geer endorsed the idea of a central authority that would collect data on virus outbreaks and other problems, analyze the malware, look for protective measures, and look for new infection vectors and ways to defend against those attacks. The idea for a kind of Centers for Disease Control and Prevention for the Internet is not new, nor is it Geer's. It was first proposed in a paper called "How to Own the Internet in Your Spare Time," which was presented at the 2002 Usenix Security Symposium. "The idea of a CDC-type organization for the Internet is a very intriguing one," Geer said. Given the magnitude of the MyDoom virus outbreak this week, it is an idea that may begin to get some traction. Geer also raised the possibility that the government would be forced to develop some regulations regarding security and liability if the industry doesn't address the problem on its own. "Let me be clear. I loathe regulation. Loathe it," he said. "But we are going to get some regulation. I just want to make sure that we get the right kind." - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] New DHS cyber alert system under fire
http://www.computerworld.com/securitytopics/security/story/0,10801,89550,00.html Story by Dan Verton JANUARY 29, 2004 COMPUTERWORLD WASHINGTON -- The leaders of the security-information-sharing organizations within some of the nation's critical-infrastructure sectors are criticizing the Department of Homeland Security for announcing a new cyber alert system without better framing the role of the private sector. In interviews with Computerworld, senior officials from the Information Sharing and Analysis Centers (ISAC) within the IT and financial services industries said they learned of the new DHS National Cyber Alert System from media reports that appeared shortly after the announcement was made yesterday (see story). More important, the officials said they still have little or no idea what, if any, new capabilities the alert system offers, what is expected of the ISACs or how the private sector is supposed to integrate and coordinate with the DHS on the alerts. "The government wanted to know how it could get [security information] to everybody, but it didn't ask us how we could do that," said Pete Allor, operations director for the IT sector's ISAC. "At least you got a conference call," he said, referring to the media briefing hosted by the DHS. During that briefing, Amit Yoran, director of the DHS's National Cyber Security Division, told reporters that the new alert system "will integrate very closely with ISAC functions, [and alerts] will be provided to the ISACS and in many cases coordinated with the ISACS in advance." That integration will be made possible by the U.S. Computer Emergency Readiness Team (US-CERT), he said. That was news to Suzanne Gorman, chair of the financial services sector's ISAC, who said she and others were never briefed on what capabilities the US-CERT operation provides. "We talk about partnerships, but it would have been really nice if they had a conversation with us ahead of making this announcement," said Gorman. "The way they did this was poor, to say the least." Yoran, in response to those concerns, said the DHS did in fact conduct discussions with the various ISACs on what the department could do to increase awareness -- and he said that level of interaction will increase as the system matures. However, Yoran said, the goal of the new system is to give "all users of cyberspace the information they need to protect themselves." He noted that the DHS alert system doesn't provide any sector-specific information. Instead, it offers a national-level view, which "even all of the ISACS don't cover," he said. Despite the agency''s characterization of the new system as "a fundamental building block of the public/private partnership," both Allor and Gorman said the initiative seems to be geared more toward home users and the small business community than toward the medium-size and large companies that make up the bulk of the nation's critical infrastructure. >From a critical-infrastructure-protection perspective, "I'm not clear on how this is going to work," said Gorman. "There seems to be a lot of duplication of effort. Allor also questioned the effectiveness of using e-mail alerts to notify home and small business users of security issues -- a key issue that the DHS should have discussed with the private sector, he said. "Who are we trying to alert, for what, and what's the best method to get to them?" said Allor. It's not clear that e-mail alerts will be as timely for these users as they are for large enterprise users, he said. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Microsoft offers reward for MyDoom.B leads
http://news.com.com/2100-7349_3-5150469.html By Robert Lemos Staff Writer, CNET News.com January 29, 2004 SEATTLE -- Microsoft announced on Thursday that it will offer $250,000 for information leading to the capture and conviction of the individual or group responsible for the release of MyDoom.B. The original MyDoom virus started spreading on Monday and quickly swamped the Internet. The MyDoom.B variant appeared on Wednesday and, among other things, prevents an infected PC from accessing some Microsoft Web sites and targets Microsoft's main Web site with a denial-of-service attack due to start on Feb. 1. "When we looked at the B variant, we found it to be much more malicious," said Sean Sundwall, a spokesman for the software giant. "It's not that we think the person who wrote the original (virus) is not just as culpable." The reward is the third time Microsoft has posted a $250,000 "Wanted" sign on the Internet. It offered the same amount for information leading to the capture and conviction of the persons or groups responsible for releasing the MSBlast worm and the Sobig.F virus. Microsoft's reward is the second prompted by the MyDoom epidemic. The SCO Group announced on Tuesday that it is offering $250,000 for information that leads to the capture of the writer of the original virus. Both the original MyDoom virus and the modified version released on Wednesday target SCO's Web site with a denial-of-service attack. While the people who have released variants in the past haven't been considered to be as malicious as the original virus writer, Microsoft's Sundwall said the modified MyDoom seems much worse than the original. It overwrites the original and attempts to block an infected computer's access to sites that could host important security updates. "And it attacks us (at Microsoft), of course," Sundwall said. Computers infected by the variant are expected to begin to deluge the Web sites of Microsoft and the SCO Group with traffic from Feb. 1, or the first time they are turned on after that, until Feb. 12, or when they are shut down after that. It is likely that the attack will be difficult to stop, because it will just appear to be regular attempts to access the Web sites. Neither the FBI, which should be contacted with tips, nor Microsoft have indicated what, if any, progress has been made tracking down the two perpetrators, for which rewards have already been offered. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Net crime gangs hit gambling sites
http://www.reuters.co.uk/newsArticle.jhtml?type=internetNews&storyID=4237306 By Bernhard Warner European Internet Correspondent 29 January, 2004 LONDON (Reuters) - Organised crime gangs are shaking down Internet betting sites on the eve of American football's Super Bowl, threatening to unleash a crippling data attack unless they pay a "protection" fee, police and site operators said. The National Hi-Tech Crime Unit (NHTCU) told Reuters it is investigating a series of attacks and threats of attacks on companies in the United Kingdom. But security experts say sites based in the Caribbean and continental Europe have also been targeted. "These are not groups of amateur hackers -- great deals of money are changing hands," said an NHCTU spokesman. "These are for-profit crimes and all intelligence suggests that organised crime is involved." One such target is Curacao-based VIP Management Services, which runs seven gambling sites including www.VIPSports.com and www.Betgameday.com. "We were first targeted in September and have been under intermittent attack ever since," said Alistair Assheton, managing director of the privately held six-year-old firm. E-XTORTION ARTISTS The so-called denial-of-service attacks, which can disable a corporate data network with a barrage of bogus data requests, are a standard tool for hackers aiming to knock out a site. Lately, police say, crime gangs have adapted it to extort businesses. Security experts and police said they believe the gangs are based in Eastern Europe and Russia, taking advantage of the region's weak cyber crime laws and its legions of savvy programmers. Assheton said that on Monday he received the latest threat via e-mail. It was a demand for $30,000 (16,435 pounds) to be wired via Western Union to the extortionist's account or risk being hit. "They essentially said 'pay up or you will go down for the Super Bowl,'" he said. Police sources said this type of cyber "protection racket" has grown in recent months. The risk of being knocked offline by a digital attack on Super Bowl weekend, one of the busiest betting periods of the year, could doom a gambling site. Jeffrey Weber, who writes an online news letter dedicated to the industry, called www.Alltopsportsbooks.com, estimated an outage of a few hours is costly. "That's $500,000 to $1 million dollars worth of action wiped out in one shot," he said. PAY UP -- OR ELSE Reuters obtained a copy of an e-mail extortion threat distributed earlier this month. It demanded sites pay $15,000 for six months' worth of protection. "If you wait to make a deal with us when the attacks start, it will cost you $25,000 for six months protection and the lost revenues as your site will stay down until the $25,000 is received," the e-mail threat said. Weber said a number of small sites have paid up, calculating it would be cheaper than going dark during a busy period. "It's almost like the criminal elements of the neighbourhood bookmakers has merged with the world of online bookmakers," he said. Noting the relatively small sums demanded -- to ensure the victim does not go out of business and can continue to pay up -- security and law enforcement sources said they believe this is the work of gangs with experience in such shakedown schemes. "This is very professional," said one security expert. The Net crime wave is not exactly new. Extortionists and crime groups have targeted businesses of all sizes since the early days of e-commerce. Law enforcement has been hampered because until recently companies were reluctant to report the incidents for fear of hurting their business reputation. Police hope a recent spirit of cooperation will help their cause. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] CFP - ESORICS 2004 - Call for Papers
Forwarded from: Yves Roudier <[EMAIL PROTECTED]> CALL FOR PAPERS ESORICS 2004 9th European Symposium on Research in Computer Security Institut Eurécom, Sophia Antipolis, French Riviera, France September 13-15, 2004 http://esorics04.eurecom.fr ESORICS 2004 will be collocated with RAID 2004 Papers offering novel research contributions in any aspect of computer security are solicited for submission to the Ninth European Symposium on Research in Computer Security (ESORICS 2004). Organized in a series of European countries, ESORICS is confirmed as the European research event in computer security. The symposium started in 1990 and has been held on alternate years in different European countries and attracts an international audience from both the academic and industrial communities. From 2002 it will be held yearly. The Symposium has established itself as one of the premiere, international gatherings on Information Assurance. Papers may present theory, technique, applications, or practical experience on topics including: access controlaccountability anonymity applied cryptography authenticationcovert channels cryptographic protocols cybercrime data and application security data integrity denial of service attacks dependability digital right management firewalls formal methods in securityidentity management inference control information dissemination control information flow control information warfare intellectual property protection intrusion tolerance language-based security network security non-interference peer-to-peer security privacy-enhancing technology pseudonymity secure electronic commercesecurity administration security as quality of servicesecurity evaluation security management security models security requirements engineering security verification smartcardssteganography subliminal channels survivability system security transaction management trust models and trusttrustworthy user devices management policies The primary focus is on high-quality original unpublished research, case studies and implementation experiences. We encourage submissions of papers discussing industrial research and development. Proceedings will be published by Springer-Verlag in the Lecture Notes in Computer Science series. PAPER SUBMISSIONS Submitted papers must not substantially overlap papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. Papers should be at most 15 pages excluding the bibliography and well-marked appendices (using 11-point font), and at most 20 pages total. Committee members are not required to read the appendices, and so the paper should be intelligible without them. To submit a paper, send to [EMAIL PROTECTED] a plain ASCII text email containing the title and abstract of your paper, the authors names, email and postal addresses, phone and fax numbers, and identification of the contact author. To the same message, attach your submission (as a MIME attachment) in PDF or portable postscript format. Do NOT send files formatted for word processing packages (e.g., Microsoft Word or WordPerfect files). Submissions not meeting these guidelines risk rejection without consideration of their merits. Submissions must be received by March 26, 2004 in order to be considered. Notification of acceptance or rejection will be sent to authors by May 30, 2004. Authors of accepted papers must be prepared to sign a copyright statement and must guarantee that their paper will be presented at the conference. Authors of accepted papers must follow the Springer Information for Authors' guidelines for the preparation of the manuscript and use the templates provided there. ORGANIZING COMMITTEE General Chair Refik Molva Institut Eurécom email: [EMAIL PROTECTED] Program Chairs Peter Ryan Pierangela Samarati University of Newcastle upon Tyne University of Milan email: [EMAIL PROTECTED] email: [EMAIL PROTECTED] Publication Chair Publicity Chair Dieter Gollmann Yves Roudier TU Hamburg-Harburg Institut Eurécom email: [EMAIL PROTECTED]email: [EMAIL PROTECTED] Sponsoring Chair Marc Dacier Institut Eurécom email: [EMAIL PROTECTED] PROGRAM COMMITTEE Vijay Atluri, Rutgers University, USA Joachim Biskup, Universitaet Dortmund, Germany Jan Camenis
[ISN] U.S. Takes Anti-Virus Role
http://www.washingtonpost.com/wp-dyn/articles/A58255-2004Jan28.html By Jonathan Krim and Mike Musgrove Washington Post Staff Writers January 29, 2004 The federal government yesterday announced a new, centralized system to alert the country to threats to computer systems, as a virulent worm continued to play havoc with e-mail around the world. The alert system, announced by the cybersecurity division of the Department of Homeland Security, will be a clearinghouse of information on hacking, viruses, worms and cyberterrorism. It will also be a place for consumers to learn about their systems' vulnerabilities and how to fight computer crime. "We are focused on making the threats and recommended actions easier for all computer users to understand, prioritize and act upon," said Amit Yoran, the director of the cybersecurity division. The system was planned well before the latest computer worm began infecting machines on Monday. Computer security firm Network Associates Inc. said that while the number of new occurrences of the worm, known as MyDoom, has leveled off, there is still a tide of MyDoom-bearing e-mails circulating around the Internet. The worm disguises itself as e-mail that was not delivered properly, enticing recipients to open attachments that launch the malicious code. One of Network Associates' major corporate clients was blocking infected e-mails at a rate of 160,000 an hour yesterday, said Craig Schmugar, a virus research manager at the company. In addition to bogging down e-mail networks, the worm is scheduled to use infected computers to launch Web-based attacks on SCO Group Inc., a Utah company that claims to own the rights to some of the software code used in versions of the freely available operating system Linux. Those attacks are scheduled to begin Sunday. A variant of the worm that appeared yesterday is scheduled to launch similar attacks against Microsoft Corp.'s Web site. Microsoft and SCO have licensed some of each other's technologies. The variant also prevents infected computers from viewing the Web sites of many major anti-virus companies. Like the original, yesterday's variant is programmed to avoid targeting e-mail addresses used by the government, military, the search site Google and some Web domain names associated with open-source software community. "When the bomb goes off on [Sunday], that's when we're expecting to see some major issues," said Lloyd Taylor, vice president of technology and operations at Keynote Systems Inc., a Web performance monitoring firm. The new federal alert system is intended to make the government the trusted source of computer-security information, which currently is disseminated by various corporate, research, government and quasi-public organizations. Cyber-threats to national infrastructure, for example, were the responsibility of the old National Infrastructure Protection Center, which was under the FBI until the Homeland Security Department was formed. Several companies and research institutions have Web sites with information on virus, worm and other threats, with many of them selling programming solutions to network operators to fend off particular attacks. Many firms sell consumers various products to protect their home systems while providing security information. Some security experts questioned whether the alerts are the best first use of the newly formed cybersecurity division. "Is the lack of information sharing the biggest problem?" said Mark D. Rasch, vice president Solutionary Inc., a cybersecurity firm. "No." But Yoran said it is important that such information come from a neutral source. "The vendor community is focused on sales as well as on protecting their clients," said Yoran, who recently took over the division after working at Symantec Corp., which sells Norton anti-virus and other security products. "Coming from the U.S. government, the focus is solely on the public interest." John Pescatore, a computer-security analyst for the research and consulting firm Gartner Inc., said it is especially important for consumers to have a place to go whose intent is not to sell products. Unlike the wealth of information that is available for companies, "there's not a lot that is unfiltered for consumers," he said. Computer users will be able to go to the division's Web site (www.us-cert.gov) for information and to sign up for regular newsletters and bulletins. Alan Paller, head of the SANS Institute in Bethesda, a computer-security research facility, said he sees value in the government being the authority on identifying and tracking cyber-threats. The model should be the National Weather Service, which collects primary weather data, Paller said. "Everyone else is an interpreter." With cybersecurity information, Paller said, "everyone is a collector. That model is wrong." Because the government also has resources at the Defense Department and coordinates w
[ISN] Secunia Weekly Summary - Issue: 2004-5
The Secunia Weekly Advisory Summary 2004-01-22 - 2004-01-29 This week : 41 advisories Table of Contents: 1.Word From Secunia 2This Week In Brief 3...This Weeks Top Ten Most Read Advisories 4...Vulnerabilities Summary Listing 5...Vulnerabilities Content Listing 1) Word From Secunia: Secunia Advisory IDs Every advisory issued by Secunia has an unique identifier: The Secunia Advisory ID (SA ID). The SA IDs make it very easy to reference, identify, and find Secunia advisories. A Shortcut to Secunia Advisories Finding Secunia Advisories using SA IDs is easily done at the Secunia website; either by simply entering the SA ID in our search form placed on the right side of every Secunia web page, or by entering the SA ID directly after the domain when visiting the Secunia website e.g. http://secunia.com/SA10736 In the Secunia Weekly Summary SA IDs are displayed in brackets e.g. [SA10736] 2) This Week in Brief: Security researcher http-equiv has reported a vulnerability, which can be exploited to spoof the "File name" field in Internet Explorer when downloading files. Secunia has made a simple demonstration of this vulnerability; a link to the test can be found in the referenced Secunia Advisory. Reference: [SA10736] http-equiv has also demonstrated how it is possible to make a normal looking "folder" in Windows XP contain arbitrary code, which will be executed automatically on a users system when opened. Reference: [SA10708] Apple has issued a security update for Mac OS X. The update fixes several vulnerabilities some of which are already known and others are new. Reference: [SA10723] A vulnerability has been reported in the very popular FTP server Serv-U, which can be exploited to execute arbitrary code on vulnerable systems. Reportedly, the vulnerability is addressed in version 5.0. Reference: [SA10706] TIP: Finding Secunia advisories is easily done through the Secunia web site. Simply enter the SA ID in the URL: http://secunia.com/SA10736 3) This Weeks Top Ten Most Read Advisories: 1. [SA10736] Internet Explorer File Download Extension Spoofing 2. [SA10708] Windows XP Malicious Folder Automatic Code Execution Vulnerability 3. [SA10395] Internet Explorer URL Spoofing Vulnerability 4. [SA10723] Mac OS X Security Update Fixes Multiple Vulnerabilities 5. [SA9580] Microsoft Internet Explorer Multiple Vulnerabilities 6. [SA9213] XBlockOut "-display" Privilege Escalation Vulnerability 7. [SA9223] Cisco Catalyst Switch Non-Standard TCP Flag Combination DoS Vulnerability 8. [SA10700] Need for Speed Client Buffer Overflow Vulnerability 9. [SA10289] Internet Explorer System Compromise Vulnerabilities 10. [SA10523] Internet Explorer showHelp() Restriction Bypass Vulnerability 4) Vulnerabilities Summary Listing Windows: [SA10700] Need for Speed Client Buffer Overflow Vulnerability [SA10736] Internet Explorer File Download Extension Spoofing [SA10710] Mbedthis AppWeb HTTP Request Denial of Service Vulnerabilities [SA10708] Windows XP Malicious Folder Automatic Code Execution Vulnerability [SA10707] TinyServer Multiple Vulnerabilities [SA10704] Q-Shop SQL Injection and Cross Site Scripting Vulnerabilities [SA10724] ProxyNow! HTTP Request Buffer Overflow Vulnerabilities [SA10714] FinJan SurfinGate Proxy Access to Admin Functions [SA10741] BRS WebWeaver "ISAPISkeleton.dll" Cross Site Scripting Vulnerability [SA10739] BlackICE PC Protection Privilege Escalation Vulnerability UNIX/Linux: [SA10738] Gentoo update for gaim [SA10735] Gentoo update for mod_python [SA10723] Mac OS X Security Update Fixes Multiple Vulnerabilities [SA10721] Red Hat update for gaim [SA10719] Slackware update for gaim [SA10718] Mandrake update for tcpdump [SA10717] Mandrake update for gaim [SA10716] Mandrake update for mc [SA10715] Debian update for gnupg [SA10705] Gaim Multiple Buffer Overflow Vulnerabilities [SA10696] Cisco Voice Products Director Agent Insecure Default Installation [SA10703] Mandrake update for jabber [SA10701] Cherokee Error Page Cross-Site Scripting Vulnerability [SA10722] Fedora update for slocate [SA10720] Red Hat update for slocate [SA10702] Mandrake update for slocate [SA10698] Red Hat update for sloc
[ISN] Windows & .NET Magazine Security UPDATE--Changing the Administrator Password--January 28, 2004
This Issue Sponsored By Exchange & Outlook Administrator http://list.winnetmag.com/cgi-bin3/DM/y/eePq0CJgSH0CBw0BEf10Aw 1. In Focus: Changing the Local Administrator Password 2. Announcements - Need a SQL Server Time-Saver? - Download a Free eBook--"A Guide to Group Policy" 3. Security News and Features - Recent Security Vulnerabilities - News: New MyDoom Email Virus Spreads Quickly - News: MBSA 1.2 Now Available - Feature: Microsoft Baseline Security Analyzer 4. Instant Poll - Results of Previous Poll: Online Fraud - New Instant Poll: Wireless Networking 5. Security Toolkit - Virus Center - Virus Alert: Bagle.A - FAQ: How Can I Use the Active Directory Connector (ADC) Tools for Exchange Server 2003? - Featured Thread: Local Administrator Account 6. Event - New--Microsoft Security Strategies Roadshow! 7. New and Improved - Communications Security for Corporate Desktops - Honeypot Detects Intrusion - Tell Us About a Hot Product and Get a T-Shirt 8. Contact Us See this section for a list of ways to contact us. Sponsor: Exchange & Outlook Administrator Try a Sample Issue of Exchange & Outlook Administrator! If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and down time. Request a sample issue today, and discover tools you won't find anywhere else to help you migrate, optimize, administer, and secure Exchange and Outlook. Order now! http://list.winnetmag.com/cgi-bin3/DM/y/eePq0CJgSH0CBw0BEf10Aw 1. In Focus: Changing the Local Administrator Password by Mark Joseph Edwards, News Editor, [EMAIL PROTECTED] In many network environments, preventing users from having access to the local Administrator account is a good idea. Otherwise, a user could use the account to log on and make unauthorized changes to the system and possibly access unauthorized resources on the network. A typical scenario for configuring the various user accounts on a network is to establish user accounts that have only the access capabilities required for a user to perform his or her work and to set the local Administrator account password on each machine to something unknown to nonadministrative users. In environments with multiple domains, setting the local Administrator password to a different value in each domain is often a good idea. You should also periodically change the local Administrator passwords. If your network has dozens, hundreds, or even thousands of machines, changing passwords across all the machines can be challenging, especially if you don't use Active Directory (AD). A reader recently wrote, asking how to perform such a task in an environment without AD. Two ideas come to mind: using a third-party tool or using scripts. If you prefer the third-party tool option, several tools on the market might fit your needs. Some password-changing tools come as parts of network-management packages, and some are more tailored to the task at hand. Back in October 2001, I mentioned a tool called DCPC, which can change all the local Administrator passwords across a network. Some people have told me they aren't comfortable using it because it's freeware and because it comes from a company that doesn't appear to be very established. I haven't used DCPC and can't vouch for its trustworthiness, but it's still available. http://www.danish-company.com/dcpc Another tool you might consider is Hyena, which is available from SystemTools Software. Hyena performs a variety of tasks, among them the ability to change local Administrator passwords on multiple machines across a network. I think it's reasonably priced, and according to the Web site, you can download a fully functional evaluation version. Other solutions are undoubtedly available, so do some research and shop around to find a solution that fits your needs. http://www.adkins-resource.com/hyena/index.html If you just need to change the local Administrator password on a few machines, consider using cusrmgr.exe, which is available in the "Microsoft Windows 2000 Resource Kit." The tool works for Win2K and Windows NT systems. You can read more about cusrmgr.exe in the Microsoft article "How to Use the Cusrmgr.exe Tool to Change Administrator Account Password on Multiple Computers." http://www.microsoft.com/windows/reskits/default.asp http://support.microsoft.com/?kbid=272530 If you don't mind using scripts, try the Win32::AdminMisc Perl module (available at the first URL below), developed by Windows & .NET Magazine author Dave Roth. The Windows & .NET Magazine article "How to Manage Your Enterprise's Passwords the Easy Way" (at the second URL below) explains how to manage local Administrator passwords by using Win32::AdminMisc. The arti
[ISN] Anti-Virus Companies, Tenacious Spammers
Forwarded from: security curmudgeon <[EMAIL PROTECTED]> http://www.attrition.org/security/rant/av-spammers.html Anti-Virus Companies: Tenacious Spammers Wed Jan 28 04:46:28 EST 2004 Brian Martin [EMAIL PROTECTED] No one can argue that the spam problem is getting better. Despite advances in anti-spam technology and legislation against spam, unwanted junk mail is flowing into our inboxes at an increased rate. Stock tips, enhancement drugs, Nigerian scams, DVD copy software and hundreds of other products or services get shoved in our face. For roughly three years, the Internet has seen worms that spread via e-mail, often taking addresses out of the infected machine's web cache, user addressbook or other sources. Some of these worms will also forge/spoof the "From:" line so the mail appears to be from someone else, in an attempt to make the mail more 'trusted'. To be clear.. [..] Spam is basically defined as "unsolicited junk e-mail". Unsolicited, as in you did not request the person/company to send you mail. Junk, as in it contains no valuable content or information. When an anti-virus program from a remote system mails you out of the blue, tells you that it blocked a virus YOU sent, tells you that you are likely infected with a virus and advertises itself, the remote site is sending you spam. In the case of the latest worm, myself and others have received more spam from Anti-Virus products than the worm itself! As you read this, Anti-Virus companies are responsible for products that are sending out more unwanted mail than the worm itself. The most damning mail from these products not only purport to "warn you of infection", but they go so far as to advertise the product to you. This is unsolicited commercial e-mail (UCE, aka "spam") in its purest form. [..] - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] ITL Bulletin for January 2004
Forwarded from: Elizabeth Lennon <[EMAIL PROTECTED]> ITL Bulletin for January 2004 COMPUTER SECURITY INCIDENTS: ASSESSING, MANAGING, AND CONTROLLING THE RISKS Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Technology Administration U.S. Department of Commerce Attacks on computers and networks have become more numerous and more severe in recent years. While preventing such attacks would be the ideal course of action for organizations, not all computer security incidents can be prevented. Every organization that depends upon computers and networks to carry out its mission should identify and assess the risks to its systems and to its information, and reduce those risks to an acceptable level. An important component of this risk management process is the assessment of the risks of security incidents and the identification of effective ways to deal with them. A well-defined incident response capability helps the organization detect incidents rapidly, minimize losses and destruction, identify weaknesses, and restore information technology operations speedily. NIST Guide on Handling Security Incidents NIST's Information Technology Laboratory recently issued Special Publication (SP) 800-61, Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology. Written by Tim Grance, Karen Kent, and Brian Kim, NIST SP 800-61 provides practical guidance to help organizations establish an effective incident response program, analyze and respond to information security incidents, and reduce the risks of future incidents. The new guide replaces NIST SP 800-3, Establishing a Computer Security Incident Response Capability (CSIRC). The new incident handling guide contains useful information for computer security incident response teams (CSIRTs), system and network administrators, security staff, technical support staff, chief information officers (CIOs), and computer security program managers who are responsible for handling security incidents. Topics discussed include the need for and the organization of incident response teams, and how to manage the incident handling process. Specific recommendations are provided for handling five types of incidents: denial of service (DoS), malicious code, unauthorized access, inappropriate usage, and multiple component incidents. Appendices include a consolidated list of recommendations that are discussed in the guide, incident response scenarios, and questions for use in incident response exercises. Also included in the appendices are suggested items of information to be collected about each incident, a glossary, an acronym list, lists of online resources and other references, frequently asked questions about incident response activities, and the steps to follow when handling a security incident. This ITL Bulletin summarizes NIST SP 800-61, which is available at http://csrc.nist.gov/publications/nistpubs/index.html. Planning and Organizing an Incident Handling Capability Federal departments and agencies are specifically directed by the Federal Information Security Management Act (FISMA) of 2002 to develop and implement procedures for detecting, reporting, and responding to security incidents. Federal civilian agencies are responsible for designating a primary and secondary point of contact (POC) to report all incidents to the Federal Computer Incident Response Center (FedCIRC) in the Department of Homeland Security, and for documenting corrective actions that have been taken and their impact. Further, policy guidance issued by the Office of Management and Budget (OMB) requires that agencies have a capability to provide help to users when security incidents occur in their systems and to share information concerning common vulnerabilities and threats (OMB Circular No. A-130, Appendix III). The participation of many people within the organization is important in planning and implementing an incident response program, and in making the decisions that are key to a successful program. The organization should adopt an incident response policy which defines which events are considered incidents, establishes the organizational structure for incident response, defines roles and responsibilities, and lists the requirements for reporting incidents. An incident response team with appropriate technical skills should be selected from the different team structures and staffing models that are discussed in the guide, and training should be provided to team members. The services that will be provided by the team should be decided. Procedures are needed to assess the impact of incidents, and effective methods of collecting, analyzing, and reporting data should be established. Careful planning and dedicated resources are essential to establishing and maintaining a successful incident handling capability that will enable the organization to respond quickly and e
[ISN] Wireless Chicago Hackers Have Hijacking Job Appallingly Easy
http://www.eprairie.com/news/viewnews.asp?newsletterid=6473 [When you read as much security news as I do, you begin to notice little anomalies, such is the case with this article below, it looks suspicisionly similar to an article in Fortune Magazine from 1/26/2004 at... http://www.fortune.com/fortune/peterlewis/0,15704,575710,00.html While I guess you can blame this on the butterfly effect of two writers thinking the same thing on the same week, I think different forces are at work, you be the judge. - WK] 1/28/2004 CHICAGO - Have you ever used the wireless network at a Chicago hotel or coffee shop? If you have, odds are a hacker owes you a thank you for letting him or her hijack your computer to spew spam over the internet. Also, to the establishment manager, the hackers say: "hanks ever so much for not securing the wireless network you recently installed. You've made it much easier for me to sit in your establishment and digitally browse the laptops of dozens of your patrons and guests." Driven by the demand brought on by business travelers and the nirvana-type promises of the wireless craze, establishments all over the world are adding wireless broadband connections. Before you jack your laptop into one of these public high-speed links, though, consider that by the time you check out of the hotel or finish that double-skinny latte someone else may have taken a stroll through your computer. I recently found myself in a discussion with an executive from a large, Chicago-based concern. The executive came away from the talk with enough doubt in his belief that his people will follow the rules his company has set down with regard to attaching to unapproved networks that he agreed to spend a day with me on a hacker's tour of wireless Chicago. What followed was an education of how appallingly simple it is to log onto the various public wireless networks around Chicago (or, for that matter, any city). Just to show how really simple this is, we used hacker tools easily downloaded from the Internet. At this juncture, I must add that it's not that hotels and coffee shops are the only ones with security issues. However, since laptop-toting business people may be carrying highly sensitive company files and they tend to frequent coffee shops and stay overnight at hotels, these locations become a target-rich environment for the digital predators. Much like the alligator lurking on the edge of the watering hole, the predator knows that sooner or later the unprepared wildebeest will stumble into his grasp. Our tour began with an upscale hotel in downtown Chicago that's known for a high number of executive-level business guests. I will admit that I did cheat a little in starting here as I've done a fair amount of reconnaissance in the way of war walking around downtown Chicago. In about 15 minutes, we had located 25 vulnerable laptops and four hotel back-office computers. We did this by simply looking for a wireless access point that was unsecured. Once found, we probed for computers that were daydreaming at the watering hole. Time for a disclaimer: We did not probe any of the vulnerable guest or hotel computers we were able to locate. The intent of this tour stop was to demonstrate how easy it is to find targets in the wild using a typically configured Windows laptop and connecting it to the hotel network as a typical business traveler would. We did not actually violate any guest or hotel computers. The next stop on the tour was a well-known and heavily frequented coffee shop. While sitting and sipping our double-shot espressos, I connected a laptop to the newly installed and highly publicized wireless network. Instead of doing the normal and expected activity of directing my computer outward to the Web, I used a popular security tool called NMAP (or network map) to see what else was on the network. Grossly simplified, NMAP enabled my computer to roam the coffee shop and find addresses that just might contain a wildebeest. The next step is to see which wildebeest is asleep at the watering hole by probing for ports that are unprotected. By the way, the typical PC has some 65,000 ports. Hackers use a tool called a "port scanner" to see which wildebeest is day dreaming. Here's where my tour companion got an eye-opening experience: When it comes to computers, mobile business people often have an open-door policy. Many Windows-based laptops are sold with the vulnerable file-sharing option turned on by default. Even virtual private networks (VPNs), which create secure and encrypted tunnels to a corporate network over the Internet, are vulnerable to hackers. Though a VPN encrypts data traffic, underneath in the operating system layer there is still traffic that the predator can and will exploit. My tour companion came away with a new outlook of how well people secure - or should we say don't secure - their PCs. Oh, did I mention tha
[ISN] SCO offers $250,000 reward for arrest of Mydoom worm author
http://www.computerworld.com/securitytopics/security/story/0,10801,89470,00.html Story by Ken Mingis JANUARY 27, 2004 COMPUTERWORLD The SCO Group Inc. said today it is experiencing a distributed denial-of-service (DDOS) attack apparently related to the Mydoom worm that first appeared yesterday. The company, which is embroiled in legal action against IBM over intellectual property rights related to its ownership of System V Unix code, said it is offering a reward of up to $250,000 "for information leading to the arrest and conviction of the individual or individuals responsible for creating the Mydoom virus." In a statement released late today, the company said it has been the target of several such DDOS attacks during the past 10 months. But the one now under way "is different and much more troubling, since it harms not just our company, but also damages the systems and productivity of a large number of other companies and organizations around the world," said SCO CEO Darl McBride in the statement. "The perpetrator of this virus is attacking SCO. ... "We do not know the origins or reasons for this attack, although we have our suspicions," said McBride, who did not elaborate on what those suspicions are. "This is criminal activity and it must be stopped." The company also said it is working with U.S. law enforcement authorities, including the U.S. Secret Service and the FBI, to try to determine who might be involved in the attack. The Mydoom worm, also known as Novarg and Mimail.R, is a mass-mailing worm that arrives via e-mail as an attachment with one of several possible file extensions, including .bat, .cmd, .exe, .pif, .scr or .zip. When a user opens the attachment, his computer becomes infected. The worm is apparently designed to attack the company's Web site, www.sco.com, beginning on Feb. 1. Experts have said that the Mydoom worm is spreading faster than last year's Sobig.F, which topped the charts as the most widespread e-mail worm of 2003. Both Network Associates Inc. and Symantec Corp. said that when the attached file is executed, the worm scans the user's system for e-mail addresses and forwards itself to those addresses. If the victim has a copy of the Kazaa file-sharing application installed, it will also drop several files in the shared-files folder in an attempt to spread that way. According to Symantec, the worm also installs a "key logger" that can capture anything that is entered, including passwords and credit card numbers, and will start sending requests for data to SCO's Web site. If enough requests are sent, the SCO site could be forced off-line. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Campus Web site hacked
http://www.idsnews.com/story.php?id=20854 By Michael Zennie January 27, 2004 Five hours after this year's biggest snowstorm had stopped, IU was put under an emergency alert, thanks to a student hacker who manipulated the campus warning Web site. IU spokeswoman Jane Jankowski said the server of the emergency Web site did not have adequate security and that it had been breached from the outside by a student on the IU campus. Students visiting the Web site, http://emergency.iub.edu, between 1:30 and 8 a.m. were greeted with the incorrect emergency alert and a plea to "call up your congressman and suggest the educational process at Indiana University be suspended on Monday." The site also directed students to the National Weather Service and the Drudge Report Web sites "for details." Jankowski said the incorrect information was fixed just after 8 a.m. Monday when University Information Technology Services staff showed up for work. She said since then, the hole in security has been fixed, and the site is no longer vulnerable to such unauthorized access. Jankowski said the student hacker has been caught and referred to the dean of students for reprimand. Forcibly gaining unauthorized access to a Web site is not only against IU policy, but also against Indiana state law. Jankowski declined to give the name of the student in question. Senior Matt Haas saw the site with the incorrect information and thought it was suspicious. "It seemed most odd that it had a link to DrudgeReport.com," he said. "However, it was also very strange that this official IU Web page directed students to call their congressman to cancel school." IU's emergency automated hotline kept the correct information throughout the night, IU was under normal conditions. In the event of an emergency, IU President Adam Herbert has the final say in class cancelations, and congressmen have no input in the process. The University uses the Web site, which is maintained by the Office of Risk Management, to alert IU students, faculty and staff to terrorist threats, weather-related closings and other emergencies, said Larry Stephens, director of the Office of Risk Management. Freshman Arnav Patel also saw the compromised site and questioned the security of the IU network. "I thought it was unusual that someone was able to hack into what should be the most secure site on campus." -- Contact staff writer Michael Zennie at [EMAIL PROTECTED] - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] A Visit from the FBI
http://www.securityfocus.com/cgi-bin/sfonline/columnists-item.pl?id=215 [If its good enough for the FBI Computer Crime Squad, its good enough for you! http://www.amazon.com/exec/obidos/ASIN/BU9H40/c4iorg -WK] By Scott Granneman Jan 21 2004 Well, it finally happened. Right before Christmas, I had a little visit from the FBI. That's right: an agent from the Federal Bureau of Investigation came to see me. He had some things he wanted to talk about. He stayed a couple of hours, and then went on his way. Hopefully he got what he wanted. I know I did. Let me explain. I teach technology classes at Washington University in St. Louis, a fact that I mentioned in a column from 22 October 2003 titled, "Joe Average User Is In Trouble". In that column, I talked about the fact that most ordinary computer users have no idea about what security means. They don't practice secure computing because they don't understand what that means. After that column came out, I received a lot of email. One of those emails was from Dave Thomas, former chief of computer intrusion investigations at FBI headquarters, and current Assistant Special Agent in Charge of the St. Louis Division of the FBI. Dave had this to say: "I have spent a considerable amount in the computer underground and have seen many ways in which clever individuals trick unsuspecting users. I don't think most people have a clue just how bad things are." He then offered to come speak to my students about his experiences. I did what I think most people would do: I emailed Dave back immediately and we set up a date for his visit to my class. It's not every day that I have an FBI agent who's also a computer security expert come speak to my class, so I invited other students and friends to come hear him speak. On the night of Dave's talk, we had a nice cross-section of students, friends, and associates in the desks of my room, several of them "computer people," most not. Dave arrived and set his laptop up, an IBM ThinkPad A31. He didn't connect to the Internet - too dangerous, and against regulations, if I recall - but instead ran his presentation software using movies and videos where others would have actually gone online to demonstrate their points. While he was getting everything ready, I took a look at the first FBI agent I could remember meeting in person. Dave is from Tennessee, and you can tell. He's got a southern twang to his voice that disarms his listeners. He talks slowly, slightly drawling his vowels, and it sort of takes you in, making you think he's not really paying attention, and then you realize that he knows exactly what he's doing, and that he's miles ahead of you. He wears a tie, but his suit is ready to wear and just a bit wrinkled. His dark hair is longer than you'd think, hanging below his collar, further accentuating the country-boy image, but remember, this country boy knows his stuff. All in all, he gives off the air of someone who's busy as heck, too busy to worry about appearances, and someone who's seen a lot of things in his time. A-cracking we will go Dave focused most of his talk on the threats that ordinary computer users face: what those threats are, who's behind them, and why they exist. He spent quite a bit of time talking about the intersection of Trojans and viruses. He started by showing us how easy it is to create a virus, using one of several virus creation wizards that can be easily found on the Net (of course, real men and women write their own). More and more, however, the viruses circulating on the Internet are quite purposeful in design. The goal is to install a Trojan on the unsuspecting user's machine that will then allow the bad guy to control the machine from afar, turning it into a Zombie machine under the control of another. All too often, this tactic is successful. Hundreds of thousands if not millions of machines are "owned" by someone other that the user sitting in front of the keyboard and monitor. These Trojans are often the ones that security pros have been watching for years: SubSeven, Back Orifice, and NetBus. A lot of the time, script kiddies are the ones behind these Trojans, and they do the usual stuff once they have control of a user's PC: grab passwords, use groups of machines to organized DDOS attacks (often against other script kiddies), and jump from machine to machine to machine in order to hide their tracks. What surprised me, however, were how often Trojans are used to mess with the heads of the poor unsuspecting suckers who own the zombie machines. A favorite trick is to surreptitiously turn on the Webcam of an owned computer in order to watch the dupe at work, or watch what he's typing on screen. This part isn't surprising. But Dave had countless screenshots, captured from impounded machines or acquired online from hacker hangouts, where the script kiddie, after watching for a while, just can't help himself a
[ISN] Government planning cyberalert system
http://news.com.com/2100-7348_3-5148708.html By Robert Lemos Staff Writer, CNET News.com January 27, 2004 The U.S. Department of Homeland Security plans to announce details of a cyberalert system on Wednesday, two days after a virus called MyDoom spread rapidly across the Internet. The system, which will be detailed by the department's National Cyber Security Division, could mimic the color-coded scheme the government uses to warn citizens and alert law enforcement authorities of terrorism threats, a source familiar with some details of the plan said. The latest e-mail virus, MyDoom, underscores the need for a system to alert and inform Internet users. The mass-mailing computer virus took off on Monday, spreading faster than any previous virus, security experts said this week. The alert system could include a common way for home and business users to report security issues and Internet threats. Details of the early warning system will be outlined by Amit Yoran, the division's director, according to a press release issued by the department Tuesday. The announcement comes about two months after officials met with technology industry experts to form plans in five areas: awareness for home users and small businesses, cybersecurity early warning, corporate governance and security, technical standards and building better security into software. Those meetings built upon the National Strategy to Secure Cyberspace, a policy blueprint the Bush Administration released almost a year ago. While the strategy has been criticized as being soft on an industry keen to avoid regulation, several administration officials talked tough at the National Cyber Security Summit in December. The National Cyber Alert System will be announced at a press conference in Washington, D.C., early Wednesday. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Viruses and hackers make Windows more secure - Gates
http://www.theregister.co.uk/content/55/35145.html By John Leyden Posted: 27/01/2004 Virus writers and hackers are helping Microsoft to develop more secure products, Bill Gates claimed yesterday. Speaking at at the Developing Software for the future Microsoft Platform in London yesterday, just hours before the MyDoom virus began spreading like wildfire across the Net, Gates reiterated that security remains key priority for the software giant. He acknowledged that better security is vital if its .NET strategy is to succeed. Microsoft would lose out, as would businesses, if customers resisted moves to put their businesses on the Net because of security concerns, he said. He said Microsoft wanted to make sure viral epidemics cease to happen. Gates did not say how this might happen beyond noting that the software giant had learned from hackers and recent viral outbreaks. Microsoft has improved its inspection techniques, emphasised the value of fewer lines of code in software development and developed firewall technologies for PCs. Internet worms have also spurred improvements in auto-updating technology, according to Gates. Bcause the smartest hackers targeted Windows Microsoft could improve the security of its platform more rapidly than OS rivals, he argued: hackers are "good for the maturation" of the platform" "It would be wrong to say an operating system is more secure because nobody is attacking it," said Gates, in a clear dig at OS rivals such as Apple and Linux. Getting customers to apply patches - vital in cutting down routes viral spread - is a thorny issue for Microsoft. Only one in five (20 per cent) customers are up to date with patches, Gates says. Gates's perspective on hackers fits fairly closely to their own frequently-cited view that they are acting in an attempt to force Microsoft to improve the security of its products. Unlike his colleague Steve 'Sherriff' Ballmer, Gates isn't inclined to drawing analogies between hackers and bank robbers. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] New worm avoids feds for now
Forwarded from: William Knowles <[EMAIL PROTECTED]> http://www.fcw.com/fcw/articles/2004/0126/web-virus-01-27-04.asp BY Rutrell Yasin Jan. 27, 2004 A new mass-mailing computer worm that began rapidly spreading throughout the Internet Jan. 26 apparently avoids targeting the e-mail addresses of government agencies, military facilities and large software companies, according to a security expert at a leading antivirus firm. The worm -- known as MyDoom, [EMAIL PROTECTED], Shimgapi or as a variant of the MiMail worm -- is an encrypted program that creates a mass-mailing of itself, which may clog mail servers or degrade network performance. By avoiding federal sites and large software companies, the worm's author could be "attempting to get lead time before antivirus definitions" are written to block the worm, said Alfred Huger, senior director of engineering with Symantec Security Response, a unit of Symantec Corp. that tracks and responds to virus outbreaks. If the worm started attacking .mil and .gov e-mail addresses as well as antivirus vendors, then signatures could be written to thwart it much sooner, he said. Symantec and other leading antivirus vendors have pushed out software updates to customers to help protect against the worm. A likely target appears to be The SCO Group, a provider of Unix software based in Lindon, Utah. SCO has stirred emotions in the Linux community by claiming that important pieces of the open-source operating system are covered by SCO's Unix copyright. The worm is programmed to instruct infected PCs to send a flood of bogus traffic, or a denial-of-service attack, to SCO's Web server Feb. 1 through Feb. 12. The worm can also drop a backdoor program onto a PC, allowing an intruder to take control of the machine, Huger said. Although Novarg is comparable to other mass-mailing worms such as Sobig and MiMail, the latest worm is "written a little more robustly," Huger said. Other worms require either a mail server to be present on a network or access to a Domain Naming Server to spread. This one "comes with both pieces of functionality written in it," he said. Novarg arrives with an attachment with an .exe, .scr, zip, or .pif extension and a subject line of "Mail Delivery System," "Test" or "Mail Transaction Failed." *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org Help C4I.org with a donation: http://www.c4i.org/contribute.html *==* - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Linux Security Week - January 26th 2004
+-+ | LinuxSecurity.comWeekly Newsletter | | January 26th, 2004 Volume 5, Number 4n | | | | Editorial Team: Dave Wreski [EMAIL PROTECTED]| | Benjamin Thomas [EMAIL PROTECTED] | +-+ Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headlines. This week, perhaps the most interesting articles include "An Introduction To SQL Injection Attacks For Oracle Developers," "Linux as a Firewall Foundation," "Problems and Challenges with Honeypots," and "Extrusion or Intrusion." >> Enterprise Security for the Small Business << Never before has a small business productivity solution been designed with such robust security features. Engineered with security as a main focus, the Guardian Digital Internet Productivity Suite is the cost-effective solution small businesses have been waiting for. http://ads.linuxsecurity.com/cgi-bin/newad_redirect.pl?id=gdn07 --- LINUX ADVISORY WATCH: This week, advisories were released for cvs, screen, kdepim, mc, tcpdump, kernel, slocate, honeyd, isakmpd, and lftp. The distributors include Conectiva, Debian, Guardian Digital EnGarde Secure Linux, Gentoo, OpenBSD, Red Hat, Trustix, and Turbolinux. http://www.linuxsecurity.com/articles/forums_article-8802.html --- Managing Linux Security Effectively in 2004 This article examines the process of proper Linux security management in 2004. First, a system should be hardened and patched. Next, a security routine should be established to ensure that all new vulnerabilities are addressed. Linux security should be treated as an evolving process. http://www.linuxsecurity.com/feature_stories/feature_story-157.html --- Guardian Digital Customers Protected From Linux Kernel Vulnerability As a result of the planning and secure design of EnGarde Secure Linux, the company's flagship product, Guardian Digital customers are securely protected from a vulnerability that lead to the complete compromise of several high-profile open source projects, including those belonging to the Debian Project. http://www.linuxsecurity.com/feature_stories/feature_story-155.html --> Take advantage of the LinuxSecurity.com Quick Reference Card! --> http://www.linuxsecurity.com/docs/QuickRefCard.pdf +-+ | Host Security News: | <<-[ Articles This Week ]- +-+ * Security group warns of hole in Linux kernel January 23rd, 2004 The kernel is the core of the Linux operating system and provides basic services for all other parts of the operating system such as allocating processor time for the programs running on the computer and managing the system's memory or storage. http://www.linuxsecurity.com/articles/host_security_article-8804.html * An Introduction To SQL Injection Attacks For Oracle Developers January 23rd, 2004 Most application developers underestimate the risk of SQL injection attacks against web applications that use Oracle as the back-end database. This paper is intended for application developers, database administrators, and application auditors to highlight the risk of SQL injection attacks and demonstrate why web applications may be vulnerable. http://www.linuxsecurity.com/articles/server_security_article-8807.html * Linux beefs up standards January 20th, 2004 Red Hat corporate Linux distributors will next month introduce their Enterprise Directory Services and Authentication course to Australia. By all accounts, the skills it seeks to impart, in conjunction with others in the Red Hat Certified Engineer (RHCE) program, are going to be in increasing demand. http://www.linuxsecurity.com/articles/general_article-8789.html * Standardizing on Security January 19th, 2004 Things that are created in an open fashion tend to be the best of breed. They benefit from the entire world seeing them at their most basic level, and parties collaborating to enhance them and make them better. Open technology is an example of this. http://www.linuxsecurity.com/articles/general_article-8781.html ++ | Network Security News: | ++ * Book Review: Designing Network Security - 2nd Edition January 25th, 2004 This is a very good book. It provides a good foundation of basic universal security practice and then goes into detail on how to implement network security using Cisco hardware and software. No single aspect is covered in exceptional depth- the book is meant to give a little information on the whole range of security rather than mastering any one area of network security. http://www.linuxsecurity.com/article
[ISN] Secunia Weekly Summary - Issue: 2004-4
The Secunia Weekly Advisory Summary 2004-01-15 - 2004-01-22 This week : 56 advisories Table of Contents: 1.Word From Secunia 2This Week In Brief 3...This Weeks Top Ten Most Read Advisories 4...Vulnerabilities Summary Listing 5...Vulnerabilities Content Listing 1) Word From Secunia: Secunia Advisory IDs Every advisory issued by Secunia has an unique identifier: The Secunia Advisory ID (SA ID). The SA IDs make it very easy to reference, identify, and find Secunia advisories. A Shortcut to Secunia Advisories Finding Secunia Advisories using SA IDs is easily done at the Secunia website; either by simply entering the SA ID in our search form placed on the right side of every Secunia web page, or by entering the SA ID directly after the domain when visiting the Secunia website e.g. http://secunia.com/SA10395 In the Secunia Weekly Summary SA IDs are displayed in brackets e.g. [SA10395] 2) This Week in Brief: This week more products were reported to have vulnerable implementations of the H.323 protocol; among the vulnerable products were some from Sun and Avaya. While the vulnerability reported in Sun's product can be exploited to gain system access, the vulnerability reported in Avaya's products can only be used to cause a Denial of Service. Reference: [SA10665] & [SA10667] Three security researchers George Bakos, Jonathan Heusser, and Przemyslaw Frasunek have reported four vulnerabilities in the way tcpdump handles ISAKMP, L2TP, and RADIUS packets. A new version has been released which corrects these vulnerabilities. In addition several Linux distributions have also issued updated packages. Reference: [SA10636] TIP: Finding Secunia advisories is easily done through the Secunia web site. Simply enter the SA ID in the URL: http://secunia.com/SA10609 3) This Weeks Top Ten Most Read Advisories: 1. [SA10395] Internet Explorer URL Spoofing Vulnerability 2. [SA10649] qmail Long SMTP Session Handling Vulnerability 3. [SA10609] Symantec Automatic LiveUpdate Privilege Escalation Vulnerability 4. [SA10636] tcpdump ISAKMP and RADIUS Packet Handling Vulnerabilities 5. [SA10532] Linux Kernel "mremap()" Privilege Escalation Vulnerability 6. [SA10289] Internet Explorer System Compromise Vulnerabilities 7. [SA10635] HP-UX calloc Buffer Size Miscalculation Vulnerability 8. [SA10523] Internet Explorer showHelp() Restriction Bypass Vulnerability 9. [SA10634] HP-UX update for dtterm 10. [SA10611] Microsoft ISA Server 2000 H.323 Protocol Filter Vulnerability 4) Vulnerabilities Summary Listing Windows: [SA10687] DUware Products Admin Area Authentication Bypass Vulnerability [SA10679] GetWare Products Denial of Service Vulnerability [SA10659] Xtreme ASP Photo Gallery SQL Injection Vulnerability [SA10646] WWW File Share Pro Multiple Vulnerabilities [SA10650] RapidCache Server HTTP Request Handling Vulnerabilities [SA10663] [EMAIL PROTECTED] Privilege Escalation Vulnerability [SA10660] Outpost Firewall Privilege Escalation Vulnerability [SA10661] Pablo FTP Server Allows Remote Detection of Local Files [SA10689] WebTrends Exposure of Installation Path UNIX/Linux: [SA10690] Sun Solaris update for IKE [SA10673] Sun Cobalt update for ProFTPD [SA10665] SunForum H.323 Protocol Implementation Vulnerabilities [SA10647] HP Tru64 UNIX IPsec and SSH Vulnerabilities [SA10685] Red Hat update for mc [SA10681] Conectiva update for kdepim [SA10668] EnGarde update for tcpdump [SA10664] OpenCA libCheckSignature Signature Validation Vulnerability [SA10654] OpenPKG update for tcpdump [SA10652] Debian update for tcpdump [SA10645] Debian update for mc [SA10644] Trustix update for tcpdump [SA10642] Debian update for ia64 kernel [SA10639] Red Hat update for tcpdump [SA10691] Sun Cluster OpenSSL Vulnerabilities [SA10643] Red Hat update for net-snmp [SA10692] HP-UX update for Mozilla [SA10684] Red Hat update for ethereal [SA10682] Conectiva update for cvs [SA10671] Sun Cobalt update for tcpdump [SA10651] BUGS Database Credentials Exposure Vulnerability [SA10637] SuSE update for tcpdump [SA10674] Sun Cobalt update for PostgreSQL [SA10680] Conectiva update for screen [SA10672] Sun Cobalt update for apache [SA10662] Debian upd
[ISN] Students' computers hacked
http://www.chronicle.duke.edu/vnews/display.v/ART/2004/01/22/400fd304cd30b by Andrew Collins January 22, 2004 Some students coming back from fall study abroad have discovered to their dismay, what others in the University have known for months: Duke computers are under siege from hackers. Since August 2003, the Office of Information Technology has had to reinstall the operating systems of hundreds of hacked computers--the computer equivalent of a lobotomy. Although not unprecedented, the recent surge in hacking has inconvenienced many and shows no signs of abating. Former study abroad students report that a disproportionately high number of their fellow travelers have been hacked. A possible reason is that since they were gone last semester, some of these returning students may have failed to take precautions OIT recommends to guard against hacking. Junior Vinitha Kaushik said she did not pay adequate attention to an OIT security patch download page that greeted her when she returned to her computer from a France study abroad program. "They put the patch in the middle of a registration form," she said. "All I really wanted to do was get back on the Internet when I got back to school, so I skipped the middle part." Kaushik's computer was promptly hacked. OIT security officer Chris Cramer said computers become vulnerable when individuals fail to create an administrator password or when they fail to download security updates for their operating systems. Most of the University's recent hacking cases have resulted from a lack of an administrator password, he said. The identity of the hackers--and Cramer said there are almost certainly multiple people involved--is largely impossible to trace. Many of the suspected hackers are thought to be from foreign countries, including Brazil, while others are suspected to be from within the United States. The Federal Bureau of Investigation has not taken up any Duke cases yet, Cramer said, because the amount of damage from each hacking is relatively small. Cramer said there are three main motivations to hacking Duke computers: fun, data storage and as a means to attack other computers. Although the hackers' amusement factor may be impossible to gauge, hacked Duke computers have been used for data storage and, occasionally, to launch attacks on other computers. "Typically, these are teenagers--younger teenagers--just looking for thrills," Cramer said. "The folks who break into the machines are [often] looking for some computer where they can store movies, music, pornography, et cetera, all these illegal materials, so that other people can download them." The standard OIT protocol for dealing with hacked computers is to wipe clean the hard drive and reinstall the operating system. This reinstallation service is free but leads to five to seven days of computer deprivation, as well as the inconvenience of having to back up important data and reinstall programs. Hacking victims, predictably, voiced their displeasure about their computer lobotomies. "It's awful," Kaushik said. "I live in Edens [Quadrangle]; the computer lab isn't even close and applications and resumes are due." "It's just sort of a pain... actually, it's a big pain," said junior Kate Hansen. "I don't have a burner, so all my music and picture files are gone. I was only able to salvage some [Microsoft] Word files and stuff." For those who did not save their original CD-ROMs for application packages such as Microsoft Office, the operating system reinstallation can become quite expensive. Duke Computer Store manager Clarence Morgan said the computer store cannot replace lost disks. OIT insists on reinstalling hacked operating systems because of the relatively unlikely possibility that a hacked system could attack other computers on the network. Failure by a hacked individual to bring his or her computer to OIT within a week results in a severed internet connection, Cramer said. "Unless you really know what you're doing, the safest thing to do is reinstall the operating system and then restore that data to a clean computer," Cramer said. "You can attempt to get the hacker off your system, but it's never as simple as just changing your password, because usually the hacker has installed back doors--ways they can get back in." Some students are complaining about shorter-than-advertised periods between initial notification and losing their internet; others say their computers have remained in the shop longer than five to seven days. Despite the grumbling, most praised OIT workers' helpfulness and others have even identified positive aspects to being temporarily stripped of their computers. "My roommate's computer got hacked into too," said Hansen of her fellow study abroad veteran, junior Jessica Laun, "so we actually have real conversations." - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Analysts call for hold on military e-voting
http://www.fcw.com/fcw/articles/2004/0119/web-evoting-01-22-04.asp By Michael Hardy Jan. 22, 2004 A group of computer scientists is urging the Defense Department to abandon a plan to let overseas personnel cast absentee ballots over the Internet. The system, called Secure Electronic Registration and Voting Experiment (SERVE), will be implemented in time for November's election, said DOD spokesman Glenn Flood. Although security analysts who studied the system believe it could be vulnerable to hacking and alteration of results, DOD officials do not intend to change their plans. "We have confidence that it will be safe and secure for the general election in November," he said. "We respect the work the team did, but these are issues we knew about." The analysts include Avi Rubin, the Johns Hopkins University professor who publicized potential security hazards last year in electronic voting machines. They concluded that because SERVE uses Microsoft Corp.'s Windows operating system and standard Internet technologies, there is no way to make it secure. Some states could potentially use the system for primary elections, although it won't be ready in time for the Feb. 3 primaries, he said. "It's their call," he said. "The flaws are unsolvable because they are fundamental to the architecture of the Internet," said David Wagner, an assistant professor of computer science at the University of California-Berkeley, and one of the researchers, in a written statement. "It's simply not secure enough for something as serious as the election of a government official." The researchers are worried that if the early trials of SERVE are successful, federal and state governments will rush to expand its use, assuming that it will be secure. "That's like saying you don't ever need to wear a seat belt because you drove to work without crashing the car this morning," Rubin said. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Romanian Court Indicts Accused 'Blaster' Virus Author
http://www.washingtonpost.com/wp-dyn/articles/A38364-2004Jan22.html The Associated Press Thursday, January 22, 2004 BUCHAREST, Romania -- A Romanian court has indicted a graduate student on charges of distributing a variant of the computer-crippling "Blaster" Internet virus, authorities said Thursday. Dan Dumitru Ciobanu, 25, was accused of producing the Romanian version of the worm and infecting 27 computers at a university in northeastern Romania, said Mihaela Butuca, a court spokeswoman in the city of Iasi, 250 miles northeast of Bucharest. The Dec. 10 indictment alleges that Ciobanu created a "severe disturbance" in the computers. The charge carries a penalty of 15 years in prison. His trial begins Jan. 27 and he is not in custody. Romanian authorities identified the worm in September, about a month after the original version and other variants of Blaster had crippled hundreds of thousands of computers worldwide and forced Maryland's motor vehicle agency to close for a day. Like many other viruses, Blaster took advantage of a flaw in the Windows operating system. It caused computers to mysteriously shut down and restart. Authorities in the United States have charged two youths with creating Blaster variants. Romania has had little experience in prosecuting computer crimes, in part because authorities enacted a cybercrime law only last year. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Infiltration of files seen as extensive
Forwarded by: Tim Keller , esteban & Art McGee http://www.boston.com/news/nation/articles/2004/01/22/infiltration_of_files_seen_as_extensive/ By Charlie Savage Globe Staff 1/22/2004 WASHINGTON -- Republican staff members of the US Senate Judiciary Commitee infiltrated opposition computer files for a year, monitoring secret strategy memos and periodically passing on copies to the media, Senate officials told The Globe. From the spring of 2002 until at least April 2003, members of the GOP committee staff exploited a computer glitch that allowed them to access restricted Democratic communications without a password. Trolling through hundreds of memos, they were able to read talking points and accounts of private meetings discussing which judicial nominees Democrats would fight -- and with what tactics. The office of Senate Sergeant-at-Arms William Pickle has already launched an investigation into how excerpts from 15 Democratic memos showed up in the pages of the conservative-leaning newspapers and were posted to a website last November. With the help of forensic computer experts from General Dynamics and the US Secret Service, his office has interviewed about 120 people to date and seized more than half a dozen computers -- including four Judiciary servers, one server from the office of Senate majority leader Bill Frist of Tennessee, and several desktop hard drives. But the scope of both the intrusions and the likely disclosures is now known to have been far more extensive than the November incident, staffers and others familiar with the investigation say. The revelation comes as the battle of judicial nominees is reaching a new level of intensity. Last week, President Bush used his recess power to appoint Judge Charles Pickering to the Fifth Circuit Court of Appeals, bypassing a Democratic filibuster that blocked a vote on his nomination for a year because of concerns over his civil rights record. Democrats now claim their private memos formed the basis for a February 2003 column by conservative pundit Robert Novak that revealed plans pushed by Senator Edward M. Kennedy, Democrat of Massachusetts, to filibuster certain judicial nominees. Novak is also at the center of an investigation into who leaked the identity of a CIA agent whose husband contradicted a Bush administration claim about Iraqi nuclear programs. Citing "internal Senate sources," Novak's column described closed-door Democratic meetings about how to handle nominees. Its details and direct quotes from Democrats -- characterizing former nominee Miguel Estrada as a "stealth right-wing zealot" and describing the GOP agenda as an "assembly line" for right-wing nominees -- are contained in talking points and meeting accounts from the Democratic files now known to have been compromised. Novak declined to confirm or deny whether his column was based on these files. "They're welcome to think anything they want," he said. "As has been demonstrated, I don't reveal my sources." As the extent to which Democratic communications were monitored came into sharper focus, Republicans yesterday offered a new defense. They said that in the summer of 2002, their computer technician informed his Democratic counterpart of the glitch, but Democrats did nothing to fix the problem. Other staffers, however, denied that the Democrats were told anything about it before November 2003. The emerging scope of the GOP surveillance of confidential Democratic files represents a major escalation in partisan warfare over judicial appointments. The bitter fight traces back to 1987, when Democrats torpedoed Robert Bork's nomination to the Supreme Court. In the 1990s, Republicans blocked many of President Clinton's nominees. Since President Bush took office, those roles have been reversed. Against that backdrop, both sides have something to gain and lose from the investigation into the computer files. For Democrats, the scandal highlights GOP dirty tricks that could result in ethics complaints to the Senate and the Washington Bar -- or even criminal charges under computer intrusion laws. "They had an obligation to tell each of the people whose files they were intruding upon -- assuming it was an accident -- that that was going on so those people could protect themselves," said one Senate staffer. "To keep on getting these files is just beyond the pale." But for Republicans, the scandal also keeps attention on the memo contents, which demonstrate the influence of liberal interest groups in choosing which nominees Democratic senators would filibuster. Other revelations from the memos include Democrats' race-based characterization of Estrada as "especially dangerous, because . . . he is Latino," which they feared would make him difficult to block from a later promotion to the Supreme Court. And, at the request of the NAACP, the Democrats delayed any hearings for the Sixth Circuit Court of Appeals until after it heard a landmark affirmative action case -- though a
[ISN] Secret army unit gets robbed
Forwarded from: Anonymous @ c4i.org http://www.canada.com/ottawa/ottawacitizen/news/story.html?id=a0a06975-6340-4a40-ad00-a731bce04fb5 David Pugliese The Ottawa Citizen January 17, 2004 Canada's commandos may have tested their mettle against al-Qaeda in Afghanistan, but they appear to be no match for homegrown car thieves. A Joint Task Force 2 pickup truck containing counter-terrorism gear was stolen last May after personnel from the unit made a quick stop at a store, the military has confirmed. Although police recovered the Ford S350 pickup two days later, the thieves had made off with two empty gun magazines, a barrel for a pistol, clothing and a computer laptop. Other equipment, which the military refuses to discuss for security reasons, was recovered in the vehicle. Canadian Forces officials also declined to name the location from where the truck was stolen as that would reveal details about the unit's activities. They would only confirm that the theft took place somewhere in Canada. Navy Lieut. Kent Penney said investigators were able to determine that the stolen laptop did not contain information that would compromise national security. But the thieves might have realized the gear inside the truck was the property of the commando team. "The items in the vehicle could be attributed to the unit," said Lieut. Penney, a spokesman for the military's Counter-terrorism and Special Operations branch. "Certain clothing items would have been attributed to the unit itself." Asked whether the thieves would be able to determine the identities of members of the unit, he replied: "We don't know that." JTF2 is considered one of the most secret organizations in the Canadian Forces. The military acknowledges that the special operations unit exists and is based in Ottawa, but releases few other details. JTF2 has gone on missions in Afghanistan, Nepal, and the former Yugoslavia, among other countries. In Canada, it has conducted training missions in many large Canadian cities and has been on hand at major international events such as the G8 summit meeting in Alberta in 2002. Lieut. Penney said in the unit's 10-year history this is the first time one of its vehicles has been stolen. The JTF2 members who were operating the truck faced administrative action and were required to partly pay for the missing gear. The JTF2 members, who are from the unit's support branch, had locked the truck before going into the store. No arrests have been made in the case. But Lieut. Penney said as a result of the incident the unit reviewed its security policies, in particular those relating to vehicles, and has made some changes. At the time of the theft no ammunition, explosives or complete weapons were in the truck, he added. According to police, young people, mostly looking to go joy riding, are behind four out of 10 vehicle thefts. It's not the first time, however, that criminals have made off with counter-terrorism gear. In 1987, thieves stole pistols, submachine-guns, hand grenades, uniforms and an identity card from three marked RCMP trucks in the north end of Montreal. Also taken was a counter-terrorism manual. The RCMP tactical officers were in Montreal on a training mission at the time. The theft wasn't the only vehicle incident involving JTF2 members last year. In June, a JTF2 pickup truck was driving down a steep hill when the driver swerved to avoid a small animal. The truck rolled into a ditch and JTF2 personnel inside the vehicle suffered minor injuries. The military did not identify where the accident took place because of security reasons. *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org Help C4I.org with a donation: http://www.c4i.org/contribute.html *==* - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Trend Micro balks at Reuters hysteria
Forwarded from: Vmyths.com Virus Hysteria Alert <[EMAIL PROTECTED]> Vmyths.com Virus Hysteria Alert {20 January 2004, 19:10 CT} Reuters reporter Jennifer Tan filed a newswire last week to say "computer virus attacks cost global businesses an estimated $55 billion in damages in 2003." Her story quotes Trend Micro employee Lionel Phang, who works in the firm's Singapore office. A number of news sites carried Tan's newswire and translated it into multiple languages. Two spokesmen at Trend Micro called Vmyths in an effort to balk at the Reuters newswire. Spokesman Michael Sweeny flatly dismissed the guesstimate as "wrong." Spokesman David Perry insists Trend Micro CANNOT gauge a damage value -- because they simply don't collect the required data. Tan's newswire failed to explain how Phang derived his guesstimate. She also failed to say if Phang meant U.S. dollars or Singapore dollars. (There is nearly a 2-to-1 difference between those currencies.) Cub reporters often make these mistakes. It appears Reuters pulled the newswire from their lineup, but we didn't find a retraction or clarification. Based on previous history, Vmyths suspects Reuters will feign indifference in order to save face. Cub reporter Jennifer Tan will probably learn a lesson, and life will go on. History suggests this "$55 billion" URBAN LEGEND will thrive in the computer security world. Believe it or not, virus experts are a relatively gullible bunch who tell whoppers with a perfectly straight face. See http://Vmyths.com/resource.cfm?id=29&page=1 to learn about this phenomenon. Employees are only human, and Trend Micro often goes out of its way to correct the record. Their spokesmen disowned Phang's guesstimate when copycat reporters called for a quote. Vmyths congratulates Trend Micro for taking the high road. Employees are only human ... but Lionel Phang may be "more human" than most. He has slipped up at least once before when talking to reporters. Phang may be suffering from a mild case of "False Authority Syndrome." Vmyths urges him to read http://Vmyths.com/fas/fas1.cfm as soon as possible. Stay calm. Stay reasoned. Learn how to distinguish U.S. dollars from Singapore dollars. And stay tuned to Vmyths. Rob Rosenberger, editor http://Vmyths.com (319) 646-2800 --- Useful links -- False Authority Syndrome http://Vmyths.com/fas/fas1.cfm Remember this when virus hysteria strikes http://Vmyths.com/resource.cfm?id=31&page=1 Common clichés in the antivirus world http://Vmyths.com/resource.cfm?id=22&page=1 - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] information security trends and patterns for 2003
Forwarded from: [EMAIL PROTECTED] By studying messages on various information security mailing lists, I've created a visual depiction of INFOSEC community trends over time. You can view my report at: http://www.sharp-ideas.net/research/infosec_zeitgeist.html If you'd like to leave me comments, you can post them to my blog at: http://www.sharp-ideas.net/archives/16.html#more Cheers, Abe Usher, CISSP - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Windows & .NET Magazine Security UPDATE--Linux vs. BSD--January 21, 2004
This Issue Sponsored By Exchange & Outlook Administrator http://list.winnetmag.com/cgi-bin3/DM/y/eeKY0CJgSH0CBw0BEf10AT 1. In Focus: Linux vs. BSD 2. Announcements - Get 2 Sample Issues of Windows & .NET Magazine! - New Web Seminar: Email Is a Service--Manage It Like One - Event Central--a Comprehensive Resource for the Latest Events in Your Field 3. Security News and Features - Recent Security Vulnerabilities - News: Microsoft Issues January Security Patches - Feature: Not Ready for an Antispam Solution? - Feature: Malicious Hackers and Spam, Part 2 4. Security Toolkit - Virus Center - FAQ: How Can I Enable Advanced File System and Sharing Security for a Windows XP Machine in a Workgroup? - Featured Thread: Vulnerabilities in NTP Protocol? 5. Event - Free Web Seminar--The Costs of Spam 6. New and Improved - Content Security and Antispam - Policy Compliance and Assessment - Tell Us About a Hot Product and Get a T-Shirt 7. Contact Us See this section for a list of ways to contact us. Sponsor: Exchange & Outlook Administrator Try a Sample Issue of Exchange & Outlook Administrator! If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and down time. Request a sample issue today, and discover tools you won't find anywhere else to help you migrate, optimize, administer, and secure Exchange and Outlook. Order now! http://list.winnetmag.com/cgi-bin3/DM/y/eeKY0CJgSH0CBw0BEf10AT 1. In Focus: Linux vs. BSD by Mark Joseph Edwards, News Editor, [EMAIL PROTECTED] Many of you operate networks that involve a mix of OSs, or maybe you're considering adding systems that run on other platforms. Windows and the many Linux varieties are the dominant platforms of the day, but a few other OSs--varieties of Berkeley Software Distribution (BSD) UNIX, Apple Computer's Mac OS X (which is based on BSD), and IBM AIX, HP-UX, and Sun Microsystems' OSs--are dear to the hearts of many computer users. Many respectable varieties of Linux exist, such as SUSE LINUX (recently purchased by Novell), Red Hat Enterprise Linux, MandrakeSoft's Mandrake Linux, and Debian GNU/Linux. Multiple varieties of BSD also exist, including NetBSD, FreeBSD, OpenBSD, and Wind River's BSD/OS. Did you know that even though BSD and Linux are both UNIX variants, they have fundamental differences? Last week, Richard Bejtlich in his TaoSecurity Weblog (see the first URL below) discussed Matt Fuller's rant "BSD vs Linux" (see the second URL below), which explains some of the history and background of BSD and Linux. The backgrounds of the two OSs are different, yet both were developed as open-source projects. http://taosecurity.blogspot.com http://www.over-yonder.net/~fullermd/rants/bsd4linux/bsd4linux1.php Fuller gives a brief background on a variety of points about BSD and Linux, including their respective base systems, OS add-on mechanisms, update releases, and upgrading. In summary, Fuller's opinion is that BSD is developed in a more controlled fashion than most Linux varieties and uses more effective methods for updates, upgrades, and add-ons. Many security professionals prefer BSD because of the attention it pays to the overall security of the OS. For example, NetBSD historically has been considered a well-secured OS, much more so than most of the Linux varieties. OpenBSD and FreeBSD also focus intensely on security. In fact, the OpenBSD home page boasts, "Only one remote hole in the default install, in more than 7 years!" in big, bold, red letters. That's an impressive record. If you're deciding among OSs, consider BSD. Among the Linux varieties, SUSE is considered to be one of the most secure. And don't overlook the fact that Windows Server 2003 is a great improvement over its predecessors. Microsoft's effort to improve overall out-of-the-box security shows, so you might consider upgrading from Windows NT or Windows 2000 to Windows 2003. 2. Announcements (from Windows & .NET Magazine and its partners) Get 2 Sample Issues of Windows & .NET Magazine! Every issue of Windows & .NET Magazine includes intelligent, impartial, and independent coverage of security, Active Directory, Exchange Server, and more. Our expert authors deliver content you simply can't find anywhere else. Try two, no-risk sample issues today, and find out why 100,000 IT professionals read Windows & .NET Magazine each month! http://list.winnetmag.com/cgi-bin3/DM/y/eeKY0CJgSH0CBw0BEuX0AN New Web Seminar: Email Is a Service--Manage It Like One True end-to-end management of the messaging infrastructure requires an integrated, service-oriented approach. This free Web seminar introduces service-driven management and best practices for
[ISN] UPDATED: FBI raids hacker home in search of stolen Half-Life 2 code
http://www.geek.com/news/geeknews/2004Jan/gee20040120023508.htm posted 11:55am EST Tue Jan 20 2004 submitted by J. Eric Smith Those wily grunts in the black helicopters are at it again. No, not Microsoft's Secret Service Legion, the somewhat-less-fear-inducing Federal Bureau of Investagation (FBI). According to a weblog posted by a San Francisco resident, the Effa Bee Eye raided his domicile looking for a treasure beyond comprehension: the stolen source code to Valve Software's upcoming blockbuster gaming sequel, Half-Life 2. The raidee, one Chris Toshok, was rudely awakened by the men in black, who proceeded to search his apartment for anything relating to Valve Software and Half-Life 2. When the federal agents left, they took with them practically every piece of electronic gear owned by Toshok, including 9 computers, his Xbox, and a Tivo. Toshok proclaims his innocence, but also admits to being associated with a group calling itself the "Hungry Programmers." The group is on the FBI's list as a piracy organization, and has apparently been linked to other hacking activities in the past. You can read Toshok's blog[1] on the event if you're so inclined. UPDATE 4:30 P.M. ET: Forgot to include the following attribution in the original posting. Sorry, K.! --ChiefEditor Thanks to K. Adams for the heads-up, and the link to The Inquirer's coverage. [1] http://squeedlyspooch.com/blog/archives/72.html [...] - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] CodeCon program announced, early registration deadline nearing
Forwarded from: Len Sassaman <[EMAIL PROTECTED]> The program for CodeCon 2004 has been announced. http://www.codecon.org/2004/program.html CodeCon is the premier showcase of active hacker projects. It is a workshop for developers of real-world applications with working code and active development projects. All presentations will given by one of the active developers, and accompanied by a functional demo. Highlights of CodeCon 2004 include: PGP Universal - Automatic, transparent email encryption with zero clicks Osiris -A free Host Integrity Monitor designed for large scale server deployments that require auditable security Tor - Second-generation Onion Routing: a TCP-based anonymizing overlay network Vesta - An advanced software configuration management system that handles both versioning source files and building PETmail - Permission-based anti-spam replacement for SMTP FunFS - Fast User Network File System - An advanced network file system designed as a successor for NFS Codeville - Distributed version control system Audacity - A cross-platform multi-track audio editor Registration for CodeCon costs $95 at the door or online after January 31st. Through the end of January is only $75. http://www.codecon.org/2004/registration.html The third annual CodeCon takes place in San Francisco, February 20 - 22, 2004. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Bagle e-mail virus slows, fuels naming debate
http://www.computerworld.com/securitytopics/security/story/0,10801,89264,00.html [I've said it privately that one way to stomp out Windows viruses is to stop giving them cutesy names, I really wish someone would name the next Windows virus "Big Red Penis". I would think one virus outbreak with Dan Rather or Peter Jennings having to start out the national news talking about the Big Red Penis virus infecting Windows computers worldwide would be enough to get Redmond to take some real action in stopping future outbreaks. - WK] Story by Bernhard Warner JANUARY 21, 2004 REUTERS Antivirus technicians said today that Bagle, the latest e-mail virus to hit global computer users, is in decline and no longer considered a major threat. But as the contagion runs its course, some antivirus technicians are asking whether there's a better way of naming such viruses to alert the public. Since emerging on Sunday (see story) [1], Bagle has been something of a mystery. Computer security experts first called it "Beagle" after pulling the reference from a line of code found in the malicious program. Later, it was given the name Bagle, a misspelled version of the doughnut-shaped roll. Warnings about a malicious bagel drew more questions than normal from the virus-weary public. "Personally, I would have called it Beagle rather than Bagle, for the sole purpose of avoiding all these support calls asking, 'Why did you call it bagle?' " said Graham Cluley, a senior technology consultant at Sophos PLC, a U.K.-based software firm specializing in virus and spam detection. Agreeing on a single, easily identifiable name is a crucial step in the virus alert process. Quickly publicizing the existence of a new outbreak and developing a prescribed fix are vital to stopping worms and viruses in their tracks. Despite the technical expertise that goes into identifying an outbreak and a remedy, the process of naming a virus is hardly scientific. In the past, digital viruses and worms have been named after favorite lunch dishes or friends, or plucked from the words or phrases found in the code by antivirus technicians. Sometimes the words are jumbled, as with Nimda, which is admin spelled backwards. As a result, computer users have been urged to brace themselves against such notorious contagions as Slammer and Goner. And they have been advised not to be fooled by the infamous Love Bug or click on Anna Kournikova. With hundreds of new outbreaks emerging each month, new monikers are in short supply, experts said. For this reason, some have suggested that antivirus firms devise a naming procedure like national weather services, which have agreed on a long alphabetical list of names for hurricanes years before they form. "What I would like to see is everybody using the same naming scheme," said Alex Shipp, senior antivirus technologist at MessageLabs Ltd., a U.K.-based e-mail virus detection firm. "It's confusing if you think your antivirus software has you protected against one virus and then you hear on the radio it's called something else," Shipp said. But getting virus technicians to agree is no small feat. "I'm afraid it's never going to happen," Cluley said. "These virus outbreaks travel around the world in minutes. If you have a hurricane coming at you, you have a few hours to agree." [1] http://www.computerworld.com/securitytopics/security/story/0,10801,89222,00.html - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] RE: Hi
Let me be the first to say that I'm sorry this virus infected mail leaked through, and due to poor authentication routines in majordomo, this may happen again. Longtime ISN subscribers know that we don't send out attachments, if you did click on the attachment, the virus was [EMAIL PROTECTED] There is a number of programs now available to rid your computer/network of [EMAIL PROTECTED], (Check with your vendor) or you can manually disinfect your machine by doing the following... 1. Delete the registry value and restart the computer: [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe] or terminate the running 'bbeagle.exe' process with Task Manager 2. Delete the worm from the Windows System Directory: %SysDir%\bbeagle.exe Finally, if you, or Usama bin Virus want to drop the Internet to its knees, make it a point to infect university computers on the weekend/holiday, use those networks that have no staffed contact/emergency/help desk numbers for the computing staff. Double check that the university police have no POC/emergency pager numbers if something really needs to be turned off. Not that these guys would know anything about that... http://www.dnsstuff.com/tools/whois.ch?ip=138.87.155.2 Its a sneaky virus, so to prevent a repeat of all of this, we're going to post messages for a few days from this address until things calm down a little, just in case you use [EMAIL PROTECTED] in your mail filters. Thanks for your support! William Knowles [EMAIL PROTECTED] *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org Help C4I.org with a donation: http://www.c4i.org/contribute.html *==* : -- Forwarded message -- : Return-Path: <[EMAIL PROTECTED]> : Received: from forced.attrition.org (forced.attrition.org [66.80.146.7]) : by idle.curiosity.org (8.11.6/8.11.6) with ESMTP id i0JKaKM06331; : Mon, 19 Jan 2004 14:36:30 -0600 : Received: (from [EMAIL PROTECTED]) : by forced.attrition.org (8.11.6/3.8.9) id i0JJfnI08776 : for isn-list; Mon, 19 Jan 2004 14:41:49 -0500 : Received: from clalbur ([138.87.155.2]) : ^^^ : by forced.attrition.org (8.11.6/3.8.9) with SMTP id i0JJfmd08773 : for <[EMAIL PROTECTED]>; Mon, 19 Jan 2004 14:41:49 -0500 : Date: Mon, 19 Jan 2004 13:38:57 -0600 : To: [EMAIL PROTECTED] : Subject: [ISN] Hi : From: [EMAIL PROTECTED] : Message-ID: <[EMAIL PROTECTED]> : MIME-Version: 1.0 : Content-Type: multipart/mixed; : boundary="247787143784553" : Sender: [EMAIL PROTECTED] : Precedence: bulk : Reply-To: [EMAIL PROTECTED] : x-unsubscribe: echo "unsubscribe isn" | mail [EMAIL PROTECTED] : x-isn-list: x-loop, procmail, etc : x-url: http://www.c4i.org/isn.html : : Test =) : aowybbojjfjwudjx : -- : Test, yep. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] RE: Hi
Let me be the first to say that I'm sorry this virus infected mail leaked through, and due to poor authentication routines in majordomo, this may happen again. Longtime ISN subscribers know that we don't send out attachments, if you did click on the attachment, the virus was [EMAIL PROTECTED] There is a number of programs now available to rid your computer/network of [EMAIL PROTECTED], (Check with your vendor) or you can manually disinfect your machine by doing the following... 1. Delete the registry value and restart the computer: [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d3dupdate.exe] or terminate the running 'bbeagle.exe' process with Task Manager 2. Delete the worm from the Windows System Directory: %SysDir%\bbeagle.exe Finally, if you, or Usama bin Virus want to drop the Internet to its knees, make it a point to infect university computers on the weekend/holiday, use those networks that have no staffed contact/emergency/help desk numbers for the computing staff. Double check that the university police have no POC/emergency pager numbers if something really needs to be turned off. Not that these guys would know anything about that... http://www.dnsstuff.com/tools/whois.ch?ip=138.87.155.2 Its a sneaky virus, so to prevent a repeat of all of this, we're going to post messages for a few days from this address until things calm down a little, just in case you use [EMAIL PROTECTED] in your mail filters. Thanks for your support! William Knowles [EMAIL PROTECTED] *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org Help C4I.org with a donation: http://www.c4i.org/contribute.html *==* : -- Forwarded message -- : Return-Path: <[EMAIL PROTECTED]> : Received: from forced.attrition.org (forced.attrition.org [66.80.146.7]) : by idle.curiosity.org (8.11.6/8.11.6) with ESMTP id i0JKaKM06331; : Mon, 19 Jan 2004 14:36:30 -0600 : Received: (from [EMAIL PROTECTED]) : by forced.attrition.org (8.11.6/3.8.9) id i0JJfnI08776 : for isn-list; Mon, 19 Jan 2004 14:41:49 -0500 : Received: from clalbur ([138.87.155.2]) : ^^^ : by forced.attrition.org (8.11.6/3.8.9) with SMTP id i0JJfmd08773 : for <[EMAIL PROTECTED]>; Mon, 19 Jan 2004 14:41:49 -0500 : Date: Mon, 19 Jan 2004 13:38:57 -0600 : To: [EMAIL PROTECTED] : Subject: [ISN] Hi : From: [EMAIL PROTECTED] : Message-ID: <[EMAIL PROTECTED]> : MIME-Version: 1.0 : Content-Type: multipart/mixed; : boundary="247787143784553" : Sender: [EMAIL PROTECTED] : Precedence: bulk : Reply-To: [EMAIL PROTECTED] : x-unsubscribe: echo "unsubscribe isn" | mail [EMAIL PROTECTED] : x-isn-list: x-loop, procmail, etc : x-url: http://www.c4i.org/isn.html : : Test =) : aowybbojjfjwudjx : -- : Test, yep. - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Happy Holidays!
The staff at InfoSec News and C4I.org would like to wish you a very happy holidays and all the best for the new year! All the best for a happy, healthy and prosperous 2004 to you and your loved ones! Cheers! William Knowles [EMAIL PROTECTED] *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org Help C4I.org with a donation: http://www.c4i.org/contribute.html *==* - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] Duplicate/Triplicate Messages
In case you didn't notice in between your usual amount mail offering to either make your Johnson or b00bs larger, generic v1arga, and Re: My Details, we had a mail loop, not once, not twice, but three times from two separate parties. Particularly ironic in my book was that one party was from the navy.mil (and from a NMCI gateway) was sending out the FCW article on the "good Samaritan" virus clogging up the NMCI network. http://www.fcw.com/fcw/articles/2003/0818/web-nmci-08-19-03.asp Diehard, longtime InfoSec News subscribers will thankfully have recognized that the ONE common denominator to mail loops on the list, and it falls down to Microsoft SMTPSVC. So even though articles have been seen and transmitted to InfoSec News, (many times days before) it gets re-transmitted because the stupid Micro$oft servers will apparently resend to any address found on the To: line. Who needs the Osama bin Virus to turn off the SCADA networks, I can only imagine what would happen if you let this clog up a few internal Homeland Defense mailing lists with 10+MB copies of PowerPoint slides over and over. This is truly an annoying "feature" with Microsoft mail servers and I wish someone would address this in the very near future. Blocks are in place, (Two for the Navy) and both users have been expeditiously booted from the list. This is the only ISN message for today, I have been deleting pretty much all the mail coming to [EMAIL PROTECTED], which has tallied in the 4000+ message range, not to mention mail from dozens of other defense contractors that haven't patched their systems for the viruses making the rounds, otherwise why else would I be getting mail titled "Re: Your application." when I never sent my resume to them. :) Thanks for your time and patience! William Knowles [EMAIL PROTECTED] *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org Help C4I.org with a donation: http://www.c4i.org/contribute.html *==* - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] The Special Operations Warrior Foundation
As long time readers of InfoSec News know, I have a short list of charities I try to support, and if an event comes up where I think I can help out, and its somewhat in the context of the list, I'll post something here. Its come to my attention that The Special Operations Warrior Foundation (SOWF) is getting ready to hold their 5th Annual Warrior Relay Run October 14 - 17. http://www.specialops.org/ The SOWF will have about 20 special operations troops - Army, Navy and Air Force, who will be running 335-miles in four days, to raise money for the children of special operations forces who are killed in an operational mission or training accident. Since Sept. 11th, the special operations community has lost 39 personnel leaving some 33 children without a parent. Since 1980, America has lost 371 special operations personnel in operational missions or training accidents, leaving behind 386 children without a parent. The Warrior Relay Run is one of the SOWF's major fundraisers and they are actively looking for sponsors, but also would like to see public involvement by getting out on the streets to cheer these runners on as they make their journey from Fayetteville, NC to the Pentagon. Over the years I have met many of these "Quiet Professionals" and also have had the honor of working for one many years. I hope that some of you will take a few moments today looking over their site, and maybe making a donation. Thanks for your time and have a safe weekend! William Knowles [EMAIL PROTECTED] *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==* - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.
[ISN] U.S. Raises Terror Alert Level
http://www.washingtonpost.com/wp-dyn/articles/A62220-2002Sep10.html By John Solomon Associated Press Writer Tuesday, September 10, 2002; 1:45 PM WASHINGTON - The Bush administration raised the nation's terror alert warning to its second highest level Tuesday - code orange - signaling a "high risk" of attack ahead of the Sept. 11 anniversary. It was the first time since the terrorist attacks that the level was set so high. The elevation was announced by Attorney General John Ashcroft, Homeland Security Director Tom Ridge and FBI Director Robert Mueller. Ashcroft cited "specific intelligence on specific attacks on U.S. interests overseas." He said that President Bush had approved the change. At the same time, the State Department announced that the government was temporarily closing for public business about two dozen U.S. diplomatic posts worldwide. Officials cited specific threats against U.S. embassies in southeast Asia, including embassies in Indonesia and Malaysia. Ashcroft said the government was not urging Americans to change their travel plans or that there be a cancellation of events. Similarly, he said there was no call for government workers to stay home. Ashcroft said the United States had gathered intelligence suggesting that such attacks are intended to coincide with the Sept. 11 anniversary of the terrorist attacks. "Symbols of American power and authority," such as embassies, military facilities and national monuments are possible targets, Ashcroft. He said terrorists might "lash out in even small strikes," including car bombings and other suicide attacks. Security was also being increased at military bases worldwide, Ashcroft said. The level, which reflects a "high risk of terrorist attacks," is one step below the top "red," or "severe risk." The level had been at "yellow," in the middle of the five-color scale. Code orange calls for government officials to take extra precaution at public events and to coordinate their efforts with the military. Access to various government installations is restricted to only "essential personnel." Officials said there was no specific threat against targets in the United States, but the government opted to raise the alert level because of an increase in communications - what the intelligence community calls "chatter" - among suspected terrorists. *==* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==* - ISN is currently hosted by Attrition.org To unsubscribe email [EMAIL PROTECTED] with 'unsubscribe isn' in the BODY of the mail.