************** You may leave the list at any time by sending an email to [EMAIL PROTECTED] with the text "SIGNOFF SECURITYPORTAL-L" in the body of the email. We will miss you! ******* Vendor Corner ******* Sponsored by AXENT Technologies Too Many Passwords? Free White Paper on how to make Single Sign-on a reality. AXENT's PassGo(tm) InSync gives users one single password for universal access and can be deployed for thousands of users in as little as four days, across the entire enterprise. PassGo InSync is part of AXENT's Lifecycle Security(tm) solutions for e-security, This week and through July 23, AXENT is offering a free copy of the white paper, "Fast Path to Single Sign-On: PassGo Solutions Simplifies Secure Access." Follow this link for more information: http://www.axent.com/Axent/Public/Main?nav=Products&detail=http://www2.axent .com/leadform/index.cfm&FuseAction=Form1&KeyCode=2445 ******* What's new with SecurityPortal ******* Generalizing Ethics in an Information-based Society Recently a friend posed an interesting problem to me, a problem that he has been struggling with for quite some time. Management, in their infinite wisdom, had assigned him the formidable task of coming up with a code of ethics that the staff must follow for all computer usage. Their actions stemmed from the abuses by employees (both technical and non-) of the various computer facilities provided by the company. These infractions ranged from simple acts such as reading another's email over their shoulder to offenses as serious as the destruction of work created by others. It was felt that if a generic policy was instituted, employees would be able to supplement their moral compasses with a document to aid them in their quest for a happy and productive co-existence with one another. In a diversified company that includes, among others, arts, documentation and technical support departments, the problem of creating a generic document is indeed formidable. One might initially suggest that each department have their own code of ethics, but the obvious conflict arises that "Person X can do this, why can't I?" Therefore the easy solution can immediately be discarded. Obviously guidelines that are generic enough to encompass all the departments are needed, but they must be specific enough so as to prevent employees from constantly second-guessing them, or worse, just plain ignoring them. Read the full story here: http://securityportal.com/cover/coverstory20000710.html ******* Top News ******* Welcome to SecurityPortal - The Focal Point for Security on the Net(tm) Recent postings in our top news http://www.securityportal.com/topnews: July 10, 2000 Weekly Axent Security Roundup - Vandals, miscreants, and ne'er-do-wells continue to raid the Openhack network. As of this report, one hacker has compromised the network's Website. Not to worry - the hacker found some holes in MiniVend code, not a backdoor on a Raptor system. See the report in the news section. The Fourth of July holiday has slowed activity on the Raptor List to a crawl. List highlights from the week include analyzing a message from a log file, configuring high availability solutions, and the implications of turning off DNSd. In our technical tip this week - some advice on analyzing logfiles for suspicious activity. http://securityportal.com/topnews/weekly/axent20000710.html Weekly BSD Security Roundup - WuFTPD and several other FTP servers were found to contain remote root hacks, BitchX (a popular IRC client) has a nasty bug, and numerous other problems have been found. FreeBSD issued several important advisories, as did OpenBSD (their FTP server is vulnerable). Seems they are playing catch-up on some older issues. http://securityportal.com/topnews/weekly/bsd20000710.html Weekly Checkpoint Security Roundup - It was another busy week for the Check Point mailing list. Some of the major topics discussed were the new SMTP CVP server DoS attack, SecuRemote configurations, blocking the new versions of ICQ, problems related to firewall logging, and High Availability (HA)solutions. http://securityportal.com/topnews/weekly/checkpoint20000710.html Weekly Linux Security Roundup - A lot of new problems found -- people are still creating files in /tmp insecurely, and trusting user-supplied data more then they should. http://securityportal.com/topnews/weekly/linux20000710.html Weekly Microsoft Security Roundup - This week saw one Security Bulletin from Microsoft, a couple of interesting NTBugtraq posts involving Invalid SSL Certificates, MS IIS 4 & 5 FTP path enumeration, and a Windows 2000 SystemRoot problem. Read the tip of the week for information on upgrading Windows NT to Windows 2000 and custom security settings. http://securityportal.com/topnews/weekly/microsoft20000710.html Weekly Solaris Security Roundup - A quiet summer week, with less news and vulnerabilities than usual. The tip of the week presents "saveit," a script for simple version control of files/directories. http://securityportal.com/topnews/weekly/solaris20000710.html July 9, 2000 ComputerUser: New Zealand MP Calls For Echelon Spy Network Exit - While the French Government is currently investigating the controversial Echelon spy network controlled by the US, a New Zealand parliamentarian, Rod Donald, has called again for the nation's involvement in the network to be withdrawn http://currents.net/news/00/07/09/news10.html ZDNet: AOL/Netscape hit with privacy lawsuit - The suit alleges that Netscape's SmartDownload feature illegally monitors downloads of .exe and .zip files http://www.zdnet.com/zdnn/stories/news/0,4586,2600180,00.html July 8, 2000 CERT Advisory CA-2000-13 Two Input Validation Problems In FTPD - A vulnerability involving an input validation error in the "site exec" command has recently been identified in the Washington University ftpd (wu-ftpd) software package. Sites running affected systems are advised to update their wu-ftpd software as soon as possible. A similar but distinct vulnerability has also been identified that involves a missing format string in several setproctitle() calls. It affects a broader number of ftp daemons http://securityportal.com/topnews/CA-2000-13.html July 7, 2000 Microsoft Bulletin: Patch Available for Stored Procedure Permissions Vulnerability - Microsoft has released a patch that eliminates a security vulnerability in Microsoft� SQL Server 7.0. The vulnerability could allow a malicious user to run a database stored procedure without proper permissions. http://securityportal.com/topnews/ms00-048.html SecurityFocus: Scanning the World - A secretive Silicon Valley startup is probing the Internet, tickling firewalls and intrusion detection systems across the globe and raising the ire of network administrators increasingly sensitized to potential harbingers of hack attacks. Security watchers began noticing the probes earlier this year. "When I came in to work in the morning, I saw pages and pages of traceroutes and pings," recalls Matthew Jach, a network security specialist under contract with the state of Wisconsin. http://www.securityfocus.com/news/56 CIAC: OpenSSH UseLogin Vulnerability - If the UseLogin option is enabled, then the remote user's commands will be executed with an incorrect user id. Patch is available http://www.ciac.org/ciac/bulletins/k-058.shtml Lexis Nexis: Interpol to Get Bay Area Help Foiling Hackers - A Menlo Park consulting firm is working with Interpol, the international police organization, to create a worldwide network that would act as an early warning system to help companies protect themselves from cyber attacks. AtomicTangerine, a 7-month-old commercial spin-off of the nonprofit SRI International, plans to spend millions of dollars on the Web-based system, which companies and organizations would use free of cost, said chief executive Jonathan Fornaci. (note: AtomicTangerine is an investor in SecurityPortal) http://web.lexis-nexis.com/more/cahners-chicago/11407/6039428/3 Wired: A Fight to Ban Cellphone Spam - Those emergency beeps your cellphone is making could be just another spam ad. A New Jersey congressman wants to end the madness, but will his proposed legislation really stop spammers from going wireless? http://wired.com/news/politics/0,1283,37376,00.html Wired: Crypto Users Can't See FBI.gov - The FBI's home page appears just like any other Web page -- unless you use a private Web surfing service from Zero Knowledge Systems. Users say they're being blocked because of identity-hiding technology. http://wired.com/news/technology/0,1282,37425,00.html MSNBC: You've Got (Real) Mail - America Online, concerned about Internet scams, has begun to identify genuine e-mail from the Internet service provider with added graphics or color, to help its 23 million users easily identify e-mail that is truly being sent by AOL. http://msnbc.com/news/429246.asp CNet: Net Trade Group Releases Privacy Guidelines - In a move aimed at setting privacy protection standards for Internet users, a trade group for online marketers and advertisers said it has developed voluntary guidelines for Web sites and advertisers. http://news.cnet.com/news/0-1005-200-2214724.html?tag=st.ne.1002.bgif.ni NWFusion: Defending Against Outlook Viruses - Melissa and the Worm.ExploreZip virus were slaps in the face to Microsoft Outlook users. But the ILoveYou virus, which struck during the spring, appears to have been the real wake-up call. http://www.nwfusion.com/archive/2000/99914_07-03-2000.html?n TechWeb: Has 'Safe Harbor' Been Scuttled? - In a move that signals the international concern over online privacy isn't waning, the European Parliament this week voted down the proposed "Safe Harbor" agreement that would have allowed the export of electronic data regarding European citizens to the United States. http://www.techweb.com/wire/story/TWB20000706S0014 July 6, 2000 ZDNet: FBI Concerned About NTT-Verio Deal - The Federal Bureau of Investigation has raised national-security concerns about a Japanese company's attempt to acquire a U.S. Internet service provider, signaling the government's increasing worry about the globalization of, and its loss of control over, telecommunications networks. http://www.zdnet.com/zdnn/stories/news/0,4586,2598979,00.html?chkpt=zdhpnews 01 Diffie-Hellman Key Exchange - A colleague recently asked if I could help him understand the Diffie-Hellman key exchange protocol... without digging through the math. My answer was "Yes I can, but not easily." Doing so requires a few diagrams because, in this particular case, a picture is worth at least a thousand words! http://securityportal.com/topnews/dhkeyexchange20000706.html CERT Current Activity: Reports of WU-FTP and Bind Compromises - The CERT/CC has been receiving a slow but steadily-increasing number of reports from sites being compromised as a result of exploiting the "site exec" wu-ftpd vulnerability first alerted to by AUSCERT. Also reports of systems being compromised by he "NXT bug". http://www.cert.org/current/current_activity.html ComputerWeekly: Microsoft .net Slammed Over Smartcard Security - Only two weeks after its announcement, Microsoft's .net strategy vision has been slammed by IT analysts for having a poor security model. Microsoft sees smartcards based on Windows technology as an essential component to its .net software services. http://www.computerweekly.com/cwarchive/news/20000706/cwcontainer.asp?name=B 1.HTML&SubSection=1 Trend Micro Virus Alert: TROJ_DILBER - This memory resident Trojan sends itself out via MS Outlook to all lists in the infected user's address book. The Trojan file has an icon that is similar to the face of "Dilbert," the popular comic strip character. http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DILBER SJ Mercury: Companies in High-Stakes Race to Supply Digital Signature Technology - At tiny signOnline Inc., executives are working overtime to stake their claim in what could become the Internet's next gold rush: digital signatures, the technology that allows consumers to buy a home or auto without ever signing a piece of paper. http://www.sjmercury.com/svtech/news/breaking/merc/docs/041210.htm LinuxWorld: What's the hat got to do with it? - Setting the record straight on Chris Klaus and ISS. http://www.linuxworld.com/linuxworld/lw-2000-07/f_lw-07-vcontrol_1.html ZDNet: Wireless: Unplugged and Insecure - The industry is rushing to wireless as it did to the Internet, and it's making the same hurried mistakes regarding security: minimizing its importance in order to get applications into the hands of users. http://www.zdnet.com/zdnn/stories/news/0,4586,2597657,00.html July 5, 2000 Wired: Was Arab ISP Hack Illegal? - An alleged hacking attempt in the United Arab Emirates is challenging the validity of Internet-related laws here. A week after accusing a 26-year-old British computer technician of attacking the country's only Internet service provider, lawyers say that a closer examination of existing laws reveals the alleged hack may not be considered illegal. http://wired.com/news/politics/0,1283,37401,00.html NTSecurity: Microsoft's ISA Server Threatens Firewall Market - When Microsoft's Proxy Server first became available in October of 1996, industry analysts knew it would only be a short amount of time before the company would take the product further to produce a full blown firewall system. They were right. Microsoft's new Internet Security and Acceleration (ISA) server, currently in beta, is positioned as a firewall and traffic management system to compliment Windows 2000 Server. Analysts now say ISA Server threatens the marketspace of long time security solution providers such as Checkpoint Technologies, Cisco Systems, and Network Associates. http://www.ntsecurity.net/forums/2cents/news.asp?IDF=158&TB=news Infoworld: Microsoft Shores Up Browser Security - Microsoft has issued a patch for an Internet Explorer bug that it said could overwrite files and eventually crash computers. The vulnerability in the browser's Active Setup Download feature could enable malicious hackers or Web site operators to launch denial-of-service attacks, Microsoft said in a bulletin that accompanies the patch. The fix for the security hole was released last Thursday. http://www.infoworld.com/articles/hn/xml/00/07/05/000705hniehole.xml GovExec: Army Geeks With Guns Track Down Hackers - Late last year, Aaron J. Eden, a disgruntled Army private stationed in Indianapolis, Ind., hacked into the Army's Enlisted Records and Evaluation Center system and deleted 38,000 personnel-related files. At work, he was able to install Back Orifice 2000, a remote control software program that allowed him to access Army computers from his home. He also installed a "sniffer," an application that gathered passwords for him clandestinely. By using these tools, Eden was able to pass himself off as a systems administrator. http://www.govexec.com/dailyfed/0700/070300j1.htm ZDNet: P3P: A Green Sight for Privacy on the Web? - Technology aimed at informing users of how much information each site requests is in the works for launching later this year. Will the technology mean 'go' for better privacy on the Web? http://www.zdnet.com/zdnn/stories/news/0,4586,2598004,00.html Wired: EU to Search for Echelon - The European Parliament voted on Wednesday to form a committee to investigate allegations the United States and allies like Britain used Cold War satellites to conduct industrial espionage in Europe. http://wired.com/news/politics/0,1283,37394,00.html CNN: How to Protect Your Network - ParaProtect, a network security portal in Alexandria, Va., reports that 90% of the security breaches its technicians work on are based on attacks from within. Even more shocking is that upwards of 50% are caused by the company's own network administrators. http://www.cnn.com/2000/TECH/computing/07/04/network.protect.idg/index.html TechWeb: E-Signatures: Ties that Bind - With a few strokes of the presidential pen -- and the symbolic use of a smart card -- electronic signatures have gained the same legal status as those written in ink on paper. The Electronic Signatures in Global and National Commerce Act, signed by President Clinton on June 30, could make it easier, faster, and less expensive to conduct business online. http://www.techweb.com/wire/story/TWB20000704S0002 ZDNet: Hacking Opens Legal Can of Worms... For the Victims - Amid the nearly constant stream of news coverage about Internet security problems over the past six months, most people probably didn't even register the recent attack on Nike Inc.'s Web site. After all, Web sites are attacked every day; Nike may be a high-profile company, but there was nothing particularly unusual about the incident itself. One of the victims is preparing an extremely unusual response, however, that could change the way we think of online security. Scottish ISP FirstNet Online is preparing to sue the shoe maker -- for "allowing" itself to be hacked. http://www.zdnet.com/zdnn/stories/comment/0,5859,2597881,00.html TheRegister: Hackers Are Common Criminals - In what way is hacking into a computer any different from breaking into a house? Both are private property. Locks on doors are only necessary because there are people who can't be bothered to work. They would much rather you worked hard to buy things that they could later remove while you were out earning more money. http://www.theregister.co.uk/content/6/11763.html July 4, 2000 LinuxToday: Red Hat Security Advisory - The makewhatis portion of the man package used files in /tmp in an insecure fashion. It was possible for local users to exploit this vulnerability to modify files that they normally could not and gain elevated privilege. http://linuxtoday.com/news_story.php3?ltsn=2000-07-04-003-04-SC-RH ZDNetUK: Panorama Puts Teenage Hackers Under the Microscope - Teenage hackers pose a serious threat to governments and world trade, acccording to BBC investigative programme Panorama. http://www.zdnet.co.uk/news/2000/26/ns-16393.html CNN: NASA Disputes Report That Hacker Endangered Astronauts - NASA denied a British report Monday that a computer hacker endangered space shuttle astronauts during a cyber attack on the space agency in 1997. http://www.cnn.com/2000/TECH/space/07/03/nasa.hacker.02/index.html The Standard: TRUSTe to File Antiprivacy Brief Against Toysmart - Consumer privacy could be the latest casualty in the dot-com shakeout, as failing companies look to sell customer lists in liquidation sales. The nonprofit organization TRUSTe announced Friday it is planning to file a brief in bankruptcy court that will decide whether Toysmart.com can sell its customer lists. http://www.thestandard.net/article/display/0,1151,16577,00.html July 3, 2000 ABCNews: High-Tech Spy vs. Spy - Transmeta chief executive David Ditzel chuckles at the memory of the sudden interest in the company's trash weeks before taking the wraps off its new, top-secret Crusoe computer chip. But with hundreds of millions of dollars of research on the line, keeping the microprocessor's specifications secret was no laughing matter. http://www.abcnews.go.com/sections/tech/DailyNews/transmetaspy000701.html KPMG Releases White Paper on Cybercrime - This white paper focuses on how organisations can use a comprehensive cyber defence program to turn e-crime preparedness into a new competitive advantage. It describes the business risks now evolving rapidly in the electronic marketplace. It discusses how some attacks take place as well as how some organisations are beginning to protect themselves, both to deter and respond to attacks and to avert further damage once an exploitation has taken place. Finally, this document examines how the scope and nature of e-crime is expected to change and how organisations can prepare to meet those new challenges. http://www.us.kpmg.com/assurance/New_strat/index.htm Vnunet: Web Page Virus Prompts Security Concerns - Kaspersky Labs today issued a warning about an internet worm called 'Jer' that was placed on a website within the Geocities community. The worm's author announced the website - entitled 'The 40 ways women fail in bed' - on several internet relay chat (IRC) channels, attracting more than 1000 visitors on its first day. http://www.vnunet.com/News/1105489 MSNBC: PGP Patch Prevents Remote Server Crash - Pretty good means different things to different people. However, by running Network Associates' Pretty Good Privacy Certificate Server, you might be susceptible to a simple DoS attack that could leave you wondering why users can't log in. http://msnbc.com/news/427896.asp LinuxToday: Debian Security Advisory: Package: canna - The canna package as distributed in Debian GNU/Linux 2.1 can be remotely exploited to gain access. This could be done by overflowing a buffer by sending a SR_INIT command with a very long usernamd or groupname. This has been fixed in version 3.5b2-24slink1, and recommend that you upgrade your canna package immediately. http://linuxtoday.com/news_story.php3?ltsn=2000-07-02-015-04-SC-DB Annanova: British Astronaut's Life 'Endangered By Hackers' - Roberta Gross, inspector general at NASA, told Panorama: "We had an activity at a NASA centre where a hacker was overloading our systems ... to such an extent that it interfered with communications between the NASA centre, some medical communications and the astronaut aboard the shuttle." http://www.ananova.com/news/story/technology_internet-crime_15033.html IDG: Cyber Laws Emerge, But Slowly - It took more than $8 billion in computer damage from the "ILOVEYOU" virus for Philippine Republic Act 8792 to come about. The country's week-old electronic commerce act lays out how "hacking or cracking" crimes should be punished in the Philippines. Love bug virus suspect, Onel de Guzman, will not face charges under the new law, rather ones already on the Republic's books that address theft and credit card fraud http://idg.net/ic_195695_1773_1-483.html ******* What's New With SecurityPortal ******* Why Do Vendors Ship Us Junk They Wouldn't Use? This is something I have been thinking about off and on for a while. Why do vendors ship software that they themselves won't use? Most Linux vendors ship the same general packages - Sendmail for SMTP mail services, WuFTPD for FTP, Telnet for remote access and so on. The kicker, though, is that most of these vendors use different software on their servers. There are several shining examples of this. Read the full story at: http://securityportal.com/closet/closet20000705.html ******* New at SecurityPR.com, a Vendor Press Release Site ******** Norman Develops Next Generation of Virus Control - In just under three months Norman ASA will introduce the next generation of virus control for end users. Norman Virus Control 5.0 has extended functionality and user friendliness. Up to its introduction, the new version will be tested among a selection of Norman's customers. http://securityportal.com/pr/pr.20000703123644.html Sentillion Chooses RSA Security to Enable Authentication Among Healthcare Applications - RSA BSAFE� SSL-J Software Conforms with Healthcare Standard, Helps Provide Protection Against Unauthorized Access, Manipulation of Patient Records. http://securityportal.com/pr/pr.20000705125618.html Interpol and AtomicTangerine Announce Unique Alliance to Arrest the Multi-Billion Dollar Online Crime Wave - Companies worldwide will have new access to superior intelligence in their war against global cyber crime as a result of an innovative alliance between the private and public sector. http://securityportal.com/pr/pr.20000701122558.html Enter your own Press Releases directly at SecurityPR.com. http://securitypr.com ******************************************* You may leave the list at any time by sending an email to [EMAIL PROTECTED] with the text "SIGNOFF SECURITYPORTAL-L" in the body of the email. We will miss you! Tell us how we are doing. Send any other questions or comments to [EMAIL PROTECTED] Michael McCrea and Tony Chapman SecurityPortal - The Focal Point for Security on the Net [EMAIL PROTECTED] [EMAIL PROTECTED] -------------------------------------------------------------------------- Utk berhenti langganan, kirim email ke [EMAIL PROTECTED] Informasi arsip di http://www.linux.or.id/milis.php3 Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
