You may leave the list at any time by sending an email to [EMAIL PROTECTED] with the text "SIGNOFF SECURITYPORTAL-L" in the body of the email. We will miss you! ******* Vendor Corner ******* How to protect against application level attacks. Raptor Firewall delivers the most intuitive management interface and high performance, multi-threaded services, giving you the most secure, manageable, and flexible solution for enterprise security needs. Now through June 18, download your FREE guide, "Everything You Need to Know about Network Security" at http://www.axent.com/Axent/Products/RaptorFirewall. AXENT is the leading provider of e-security solutions for your business, delivering integrated products and expert services to 45 of the Fortune 50 companies. ******* What's new with SecurityPortal.com ******* Cryptography and Security Cryptography addresses one specific security-related requirement, and does so superbly: protecting a message or a file from being read by an eavesdropper who has no other means of access to either the original text of what is protected, or the key with which it is encrypted. At one time, cryptography wasn't as effective as this: during World War II, only a few systems, other than one-time pads, remained unbroken, primarily the top-level systems used by the Allies. But today, personal computers have made it trivial to use very elaborate methods of encryption: whether or not major governments can break them, it is easy enough to be sure that hackers cannot. Read the full story here <http://securityportal.com/cover/coverstory20000605.html> ******* Vendor Corner ******* Sponsored by Entrust Technologies - We make it safe to do business over the Internet When delivering e-business solutions, what will set you apart in the mind of your audience? Security. You see, the transition to a successful e-business rests with your ability to facilitate "business as usual" ... online. When you're thinking about providing electronic equivalents for traditional trusted symbols of business - like a handshake or a signature - think Entrust Technologies. We make it safe to do business over the Internet. Now available: Entrust XML Solution presentation. Register to learn all about this valuable digital signature technology: http://www.entrust.com/events/webcasts/xml.htm. ******* Top News ******* May 29, 2000 Welcome to SecurityPortal.com - The focal point for security on the Net Recent postings in our top news <http://www.securityportal.com/topnews> : June 5, 2000 Weekly Solaris Security Roundup <http://securityportal.com/topnews/weekly/solaris20000605.html> - Included in this issue: Yassp Tool Progress, No Secure Copy on Solaris 8?, Colliding Password Hashes, etc. Interested in knowing more about the running processes in a typical Solaris 8 installation? Read this week's Tip of the Week. Weekly Checkpoint Security Roundup <http://securityportal.com/topnews/weekly/checkpoint20000605.html> - The mailing list section includes information on blocking telnet / ftp access to port 80, and on setting up a Sun machine to run FW-1. Need to track down the "owner" of an IP address/IP network. Take a look at this week's Tip of the Week. Weekly Microsoft Security Roundup <http://securityportal.com/topnews/weekly/microsoft20000605.html> - Microsoft Security bulletins for SQL Server Service SP1/SP2, Windows Media Encoder 4.x, and Windows 2000, and IE 4/5. NTBUGTRAQ: HP DeskJet 970 driver issues, Exchange 5.5 mailbox deletion problems, and Buffer Overflows with long file extensions in Windows. Weekly Axent Security Roundup <http://securityportal.com/topnews/weekly/axent20000605.html> - Included in this issue: Raptor 6.5 and Supported Service Packs, A Log Warning Question, and Upgrading from 5.x to 6.x. The Technical Tip for this week focuses on Raptor log messages. Jun 2, 2000 Winmag.com: The Danger of Hidden File Extensions <http://www.winmag.com/columns/powerw2k/2000/22.htm> - It's easy to disguise a malicious attachment as a harmless text file InternetNews:Domain Hijacking Raises Security Issue <http://www.internetnews.com/bus-news/article/0,2171,3_386441,00.html> - In spite of a recent May 5th U.S. district court decision which declared that domain names are not property, and hence, can't be "stolen," domain thieves last weekend successfully hijacked two web site/domains from their rightful owners. The theft highlights the security issues surrounding domain names, particularly the authorization schemes that are in place to protect domain owners. Silicon: Security firms call for virus 'most wanted' list <http://www.silicon.com/bin/bladerunner?30REQEVENT=&REQAUTH=21046&14001REQSU B=REQINT1=37811> - Europe's leading anti-virus companies are calling for the establishment of a unified virus grading system to prevent the media from spreading hype and misinformation about new attacks. BBC: Indian police nab net thief <http://news.bbc.co.uk/hi/english/world/south_asia/newsid_773000/773025.stm> - Indian police have made what is said to be the first ever arrest in a case of cybercrime. Police in the Indian capital, Delhi, have charged a computer engineer with stealing over 100 hours of internet time, according to Indian media reports. TechWeb: Outlook Patch Poses Compatibility Risk <http://www.techweb.com/wire/story/TWB20000602S0001> - Nearly a month after its Outlook messaging client propagated the most disruptive computer viruses to date, Microsoft is ready to release a revamped patch meant to address restrictions in an initial fix introduced last month. But will the latest cure inflict its own pain? FCW: Security holes going unpatched <http://www.fcw.com/fcw/articles/2000/0529/web-topten-06-02-00.asp> - The CIO Council is asking every federal chief information officer to find and fix the lapses that made a top 10 list of critical Internet security threats. The list, released Thursday, includes problems that have solutions, but the solutions have not been put in place by federal systems administrators ITWorld.com: What's the best way to tell an employee goodbye? <http://www2.itworld.com/cma/ett_article_frame/0,2848,1_908,00.html> - You liked him when you hired him, but his skills are inadequate. You also know he has a hot temper, and will probably explode when you fire him--and possibly even seek revenge. If he's technically skilled, that revenge can be devastating Governing Magazine: Hacking away at Government <http://web.lexis-nexis.com/more/cahners-chicago/11407/5907060/2> - In the race to get online, network security has been something of an afterthought. But even the most obscure agency can be a target for Internet intruders CNN: Can you hack back? <http://cnn.com/2000/TECH/computing/06/01/hack.back.idg/index.html> - To retaliate or not to retaliate? In cyberspace, there is no simple answer. Conxion, the San Jose hosting service that reversed the attack on the WTO server, recognized the attack was coming from a single IP address belonging to the e-hippies server TechWeb: IT, Company Execs Add To Security Holes <http://www.techweb.com/wire/story/TWB20000601S0016> - Common security breaches by IT and business professionals -- not just an attacker's expertise -- contribute to the success of computer break-ins, the SANS Institute said Thursday CNet: Barnesandnoble.com exposes customer's information <http://news.cnet.com/news/0-1007-200-1997618.html?tag=st.ne.1002.thed.ni> - A New Jersey man trying to key in a coupon code at Barnesandnoble.com yesterday found himself in another customer's account with access to that person's personal information Jun 1, 2000 FCW: Are online records too public? <http://www.fcw.com/fcw/articles/2000/0529/web-swire-06-01-00.asp>- The noble goal of free-flowing information in the Internet Age has collided with the harsh reality of hackers, criminals and aggressive marketers, President Clinton's privacy counselor, Peter Swire, said this week USSR: Remote DoS attack in Real Networks Real Server <http://www.ussrback.com/labs43.html>- The Ussr Labs team has recently discovered a memory problem in the RealServer 7 Server (patched and non-patched). What happens is, by performing an attack sending specially-malformed information to the RealServer HTTP Port(default is 8080), the process containing the services will stop responding Alternet: Hacktivism in the Cyberstreets <http://www.alternet.org/story.html?StoryID=9223> - In early May an activist calling himself "Reverend Billy" called for thousands of computer owners to fire up their modems for an assault on Starbucks. From unseen corners of the globe, they'd converge on the company's Web site -- hoping to overload it. Wired: Who Should Fight Cybercrime? <http://wired.com/news/politics/0,1283,36566,00.html> - As the world's top politicians, lawmakers, and business types argue and bleat over what must be done to stop the horrible, world-stopping threat known as cybercrime, a group of engineers who built and preside over the Internet's backbone are debating whether they should get involved ZDNet: Web security ups ante, goes nuclear <http://www.zdnet.com/zdnn/stories/news/0,4586,2579948,00.html?chkpt=zdhpnew s01> - British Internet companies are increasingly turning to complexes capable of withstanding a nuclear onslaught in the battle against computer hackers and other threats, according to one security consultant CNN: How to fight privacy looters <http://cnn.com/2000/TECH/computing/05/31/privacy.law.idg/index.html> - A new law that lets banks, insurers, and brokerage houses merge and share your personal data has frightening implications for consumers. Your insurance company can now find out that you use your credit card to buy lots of big boxes of chocolate and bottles of wine TechWeb: U.S., Europe Reach Data Privacy Accord <http://techweb.com/wire/story/TWB20000531S0015> - The United States and the European Union concluded an accord Wednesday that will protect consumers' privacy, maintain data flows and create the right environment for e-commerce, the Clinton administration said Wednesday ZDNet: Web sites 'stolen' by cyberthugs <http://www.zdnet.com/zdnn/stories/news/0,4586,2580039,00.html?chkpt=zdhpnew s01> - It was a busy weekend for hackers, as they hijack 'Web.net' and 'Bali.com,' breaking the sites and registering them to someone else Standard: FBI, DOJ Issue List of Worst Net Threats <http://www.thestandard.net/article/display/0,1151,15608,00.html> - The FBI, the Department of Justice and the System Administration, Networking and Security Institute are jointly releasing a list detailing the 10 most critical Internet security threats and how to eliminate them May 31, 2000 SouthChinaMP: Bank manager executed <http://www.scmp.com/News/China/Article/FullText_asp_ArticleID-2000053013154 4704.asp> - A bank manager in Guangdong province has been executed for embezzling more than 2 million yuan (about HK$1.79 million) by manipulating computer records, state-run media reported on Tuesday. PlanetIT: FTC Threat To Regulate E-privacy Gets Real <http://www.planetit.com/techcenters/docs/security/news/PIT20000531S0005>- A federal regulators' call last week to legislate Internet privacy protections re-opened a controversial issue that had been dormant for a year. Consumer privacy concerns have been on the front burner and growing hotter for at least two years as Internet participation took off. But legislation has only been a threat, brought up at annual hearings reviewing regulators' surveys of how Internet sites handle privacy Silicon.com: NAI admits "world's safest firewall" has holes <http://www.silicon.com/public/door?REQUNIQ=959792806&6004REQEVENT=&REQINT1= 37773&REQSTR1=newsnow>- Network Associates has admitted that its Gauntlet firewall - which it markets as "the world's safest firewall" - has holes in it. The coding error, which NAI is calling a "cyberdaemon", is in the filtering component of the firewall, normally used to protect children from inappropriate Web sites. When used with Mattel CyberPatrol, it creates a hole which hackers can exploit to crash the DOS operating system, and install executable commands Vnunet: Hackers' tool slips through McAfee's net <http://www.vnunet.com/News/1102481>- McAfee's VirusScan software will no longer detect intrusion by a Trojan Horse-based remote administration tool used by hackers because it considers the product legitimate Civic.com: Pennsylvania makes spreading computer viruses criminal <http://www.civic.com/civic/articles/2000/0529/web-1penn-05-31-00.asp> - People who intentionally spread a computer virus face a seven-year prison sentence and a $15,000 fine in Pennsylvania after Governor Tom Ridge signed a new bill into law May 26. The bill also requires that restitution be paid for any damages caused FCW: Senate eyes Guard for info security <http://www.fcw.com/fcw/articles/2000/0529/web-army-05-31-00.asp> - The Senate this month urged the Pentagon to study how it might use the Army National Guard to make up for the shortage of computer programmers and information security specialists CERT Advisory CA-2000-09 Flaw in PGP 5.0 Key Generation <http://securityportal.com/topnews/cert00-09.html> - Under certain circumstances, PGP v5.0 generates keys that are not sufficiently random, which may allow an attacker to predict keys and, hence, recover information encrypted with that key Sophos: WM97/Akuma-D <http://www.sophos.com/virusinfo/analyses/wm97akumad.html> - WM97/Akuma-D is a very complex Word macro virus. On a random day within 30 days of infection the virus will display a message box and then attempt to delete all the files on the E:, D: and C: drives NAI Labs: VBS/Fireburn.worm <http://vil.nai.com/villib/dispvirus.asp?virus_k=98663>- rated a medium risk. This is a VBS mass-mailing worm that uses Microsoft Outlook and mIRC to propogate. This worm is a VBS program that is sent to all users in the victim's address book and is attached to an email with varying subject lines, depending on the language version of the host system which sent the message. This worm contains a date activated payload which disables the keyboard and mouse on June 20th ZDNet: ICUII outage blamed on rival <http://www.zdnet.com/zdnn/stories/news/0,4586,2578915,00.html?chkpt=zdhpnew s01> - The ICUII video conferencing network has been shut down for the second time in a month, and the company said Tuesday a malicious programmer is to blame May 30, 2000 CNN: The promises and dangers of instant messaging <http://cnn.com/2000/TECH/computing/05/29/im.review.idg/index.html> - from NWFusion. "Instant messaging applications such as AOL's Instant Messenger, Yahoo! Messenger and Microsoft Network's Messenger Service continue to appear on users' desktops in ever-growing numbers. They've come a long way since their inception. These improvements have made instant messaging applications very useful, and also potentially dangerous" ComputerWorld: All Star site gears up for hackers <http://computerworld.com/home/print.nsf/all/000526E3A2> - Major League Baseball's (MLB) All-Star Game has been taking great pains to make sure fans don't hack, hack, hack for the home team Boston Globe: Souped-up surveillance <http://www.boston.com/dailyglobe2/150/business/Souped_up_surveillance+.shtm l> - From supermarkets to banks to office parks, the world is full of thousands of surveillance cameras. But generally speaking, they're only as good as the sometimes glassy-eyed security officers watching them. Imagine, however, you had a surveillance camera that would automatically detect suspicious behavior, sound an alarm, and begin recording an incident for later review by security officials Mobile Dilemmas <http://securityportal.com/topnews/dilemmas20000530.html> - Most traditional security people think of fortresses. "Build a perimeter around your assets," they say. The problem becomes that the perimeter as a tool for security folks is going the way of typewriters for writers. In an average high-tech company up to one-third of the workforce are now mobile workers. These are sales people, executives, field support staff, and engineers. Traveling across the nation and the world transacting business from their laptops, these workers create a large security hole. Traditional security measures do not match up to the challenge of protecting information assets over such a vast canvas ComputerWorld: Possible S&P security holes reveal risks of e-commerce <http://www.computerworld.com/home/print.nsf/(frames)/000526E3AE?OpenDocumen t&~f> - Alleged security flaws in an online service offered by a unit of Standard & Poor's Financial Information Services highlight the risks companies sometimes face as they use the Web to connect with external partners May 29, 2000 Slashdot: Open-Source != Security; PGP Provides Example <http://slashdot.org/article.pl?sid=00/05/28/1838201&mode=thread> - Porthop points out this "interesting developer.com story regarding the security of open source software, in regards to theories that many eyes looking at the source will alleviate security problems." It ain't necessarily so, emphasis on necessarily. Last week it was discovered that, in some (uncommon) cases, a really stupid brainfart bug makes PGP 5 key generation not very random. The bug lived for a year in open-source code before being found. If you generated a key pair non-interactively with PGP 5 on a unix machine, don't panic and read carefully; you may want to invalidate your key. NandoTimes: FBI hunts for origins of `Killer Resume' virus <http://www.nandotimes.com/technology/story/0,1643,500209810-500294043-50160 5791-0,00.html> - The FBI and computer experts pursued yet another e-mail virus Saturday, this one using a guise of a woman's work resume to threaten the world's computers. Unlike an earlier bug that claimed to be looking for love, the new threat was discovered Friday looking for a job. The virus - called "Killer Resume" - is spread through e-mail systems using the Microsoft Outlook program, FBI officials said. They refused to elaborate on the investigation. AntiOnline: Personal firewall software: Protect yourself from hackers <http://www.antionline.org/2000/05/29/eca/0002-0572-US-Computers.html> - It's a jungle out there on the Internet. Hackers - people intent on destroying your data or just being a general nuisance - are waiting to pounce on your PC. For people who connect to the Internet with a 56k modem, hackers are not a big worry. But increasingly, computer users are taking advantage of the high-speed, always-on Internet connections offered by cable TV providers or by telephone companies, which offer digital subscriber line (DSL) hook-ups. RootPrompt: Can IPv6 replace SSL? <http://rootprompt.org/article.php3?article=486> - Reto Haeni has written this paper that gives a brief overview of the features of IPv6 and discuss its security specifications. In the later sections of the paper, he compares the security specifications of IPv6 to one of today's available security protocols, SSL (Secure Sockets Layer). Information Week: Intrusion-Detection Services Proliferate <http://web.lexis-nexis.com/more/cahners-chicago/11407/5893007/2> - Intrusion-detection services come with around-the-clock outside experts who collate and sift through all the information, superfluous or not, generated by intrusion-detection sensors sitting on a network. These services manage all the hardware and software tools, too. Companies typically pay a monthly fee for such services BBC: E-mail virus 'contained' <http://news.bbc.co.uk/hi/english/sci/tech/newsid_768000/768320.stm> - A new computer virus capable of ravaging information systems and spreading worldwide via the e-mail appears to have been contained, the Federal Bureau of Investigation has said ******* What's new with SecurityPortal.com ******* Ethics in Information Security I've been looking into computer ethics recently, and it struck me that there seems to be a real lack of any good documentation or books on the subject. When you consider the number of value based judgements administrators need to make with little or no guidance, the problem becomes apparent. When is it okay to read a user's email? Is it okay to monitor the sites a user visits? Is it okay to monitor every key stroke and take a video of their screen for later review? Where do you draw the line at data mining? Should students be given unsupervised access to the Internet? Should applications like Napster, ICQ and web browsers be restricted? Read the full story at <http://securityportal.com/closet/closet20000531.html> *******New From SecurityPR.com******** FREEDOM 1.1 IS HERE! Total Internet privacy? Zero-Knowledge offers the closest thing. <http://www.zdnet.com/pcmag/stories/firstlooks/0,6763,2413285,00.html> - Freedom combines online pseudonyms, powerful cryptography, and network technology to give you the best in personal Internet security. Internet Security Systems Releases Database Scanner 4.0 to Further Secure Mission Critical Enterprise Data <http://www.iss.net/cgi-bin/dbt-display.exe/db_data/press_rel/release/053100 247.plt> - Deeper integration with scanner product line creates the highest level of security to database platforms. PC Guardian upgrades Encryption Plus� for Email <http://www.pcguardian.com/press/000531_email.html> - Encryption Plus� for Email is a plug-in for Microsoft Outlook and Lotus Notes 4.5 and higher that quickly and easily encrypts and sends email messages and attachments. Enter your own Press Releases directly at SecurityPR.com. http://securitypr.com ******************************************* Tell us how we are doing. Send any other questions or comments to [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> . Michael McCrea SecurityPortal.com - the Focal Point for Security on the Net [EMAIL PROTECTED] -------------------------------------------------------------------------- Utk berhenti langganan, kirim email ke [EMAIL PROTECTED] Informasi arsip di http://www.linux.or.id/milis.php3 Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
