]]> Tue, 13 May 2008 03:25:55 -0500 (CDT) InfoSec News http://lists.jammed.com/ISN/2008/05/0042.html http://www.theregister.co.uk/2008/05/08/downfall_of_botnet_master_sobe_owns/

By Dan Goodin in San Francisco
The Register
8th May 2008

Exclusive -- One day in May 2005, a 16-year-old hacker named SoBe opened
his front door to find a swarm of FBI agents descending on his family's
three-story house in Boca Raton, Florida. With an arm and leg in casts
from a recent motorcycle accident, one agent grabbed his good arm while
others seized thousands of dollars worth of computers, video game
consoles and other electronics. His parents looked on.

At that moment, some 2,700 miles away, in the Los Angeles suburb of
Downey, California, the FBI was serving a separate search warrant on
Jeanson James Ancheta, SoBe's 20-year-old employer and hacking mentor.
It was the second time in six months Ancheta had been raided by the FBI
- a clear sign, had either bothered to notice, that their year-long
botnet spree was unravelling.

But instead of abandoning the venture after the first raid, or at least
laying low for a while, SoBe and Ancheta, according to court documents,
continued hijacking hundreds of thousands of PCs that they would then
corral into massive networks and infect with adware. So great was SoBe's
sense of impunity he continued the scheme even after Ancheta was
arrested a few months later and charged with 17 felonies related to the
hijacking of almost 400,000 PCs, some of them belonging to the US
Department of Defense.

"That's why I love this age, its all computers heh," SoBe wrote in early
December 2005, a month after Ancheta's arrest, during an online chat.
"All these companys have websites, etc. Its just funny going somewhere
like Target, or Sprint then coming home and rooting there servers out of
boredom. Makes some people feel like they can do anything."
(Misspellings and grammatical errors are his.)

SoBe's adrenalin-fueled days of fast money were slowly coming to an end.
His downfall started shortly after he and Ancheta launched their botnet
venture, when some clumsy mistakes attracted the attention of federal
investigators. It continued as their homes were raided, and shortly
after that, when the feds seized more than $38,000 earmarked as SoBe's
cut of the botnet profits. Then in May 2006, SoBe was shocked when he
learned Ancheta received 57 months in prison after pleading guilty to
four counts of fraud related to the scheme.

His undoing was completed in February, seven months after SoBe turned
18, when he pleaded guilty to two counts of juvenile delinquency related
to his use of botnets.

SoBe - who also went under the names SoBe Owns, PwnZ0r, SerlissMc and
vapidz - admitted to infecting computers belonging to the Defense
Information Security Agency and Sandia National Laboratories. He was
sentenced today in a closed-door hearing. Although the actual sentence
is confidential because SoBe was a juvenile at time of the crimes, his
plea agreement contemplated a prison term of 12 to 18 months.

[...]


_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com

]]> Fri, 9 May 2008 07:49:12 -0500 (CDT) InfoSec News http://lists.jammed.com/ISN/2008/05/0051.html http://www.gcn.com/online/vol1_no1/46239-1.html

By William Jackson
GCN.com
05/08/08

The National Institute of Standards and Technology is seeking comment on
its draft guidelines for securing servers, released this week.

NIST Special Publication 800-123 [1], "Guide to General Server
Security," makes recommendations for securing server operating systems
and softwarein addition to maintaining a secure configuration with
patches and software upgrades, security testing, log monitoring and
backups of data and operating system files.

The document addresses common servers that use general operating systems
and are deployed in outward- and inward-facing locations. The
recommendations apply to a variety of typical servers, such as Web,
e-mail, database, infrastructure management and file servers. Much of
the content was derived from SP 800-44 Version 2, "Guidelines on
Securing Public Web Servers," and SP 800-45 Version 2, "Guidelines on
Electronic Mail Security."

Common security threats addressed include exploitation of software bugs
to gain unauthorized access, denial-of-service attacks, exposure or
corruption of sensitive data, unsecured transmission of data, use of a
server breach to gain access to other network resources and use of a
compromised server to launch attacks.

NIST recommended that security plans be considered from the initial
planning stage because addressing security is more difficult after
deployment. "Organizations are more likely to make decisions about
configuring computers appropriately and consistently when they develop
and use a detailed, well-designed deployment plan," the document said.
It also advised agencies to consider human resources required for
deployment and operational phases, including training requirements.

To ensure the security of a server and the supporting network
infrastructure, NIST recommends:

* Organizationwide information system security policy.
* Configuration/change control and management.
* Risk assessment and management.
* Standardized software configurations that satisfy the information
system security policy.
* Security awareness and training.
* Contingency planning, continuity-of-operations and disaster
recovery planning.
* Certification and accreditation.

In deployment server operating systems, default hardware and software
configurations usually must be modified to achieve adequate security
rather than maximum functionality and ease of use. "Because
manufacturers are not aware of each organization's security needs, each
server administrator must configure new servers to reflect their
organization's security requirements and reconfigure them as those
requirements change," NIST advised. "Using security configuration guides
or checklists can assist administrators in securing systems consistently
and efficiently."

Similar efforts are needed for server applications. "The overarching
principle is to install the minimal amount of services required and
eliminate any known vulnerabilities through patches or upgrades," the
document said.

Comments on the draft should be e-mailed [2] by June 13, with the phrase
"Comments SP 800-123" in the subject line.

[1] http://csrc.nist.gov/publications/drafts/800-123/Draft-SP800-123.pdf
[2] 800-123comments (at) nist.gov


_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com

]]> Mon, 12 May 2008 03:24:21 -0500 (CDT) InfoSec News http://lists.jammed.com/ISN/2008/05/0039.html ========================================================================

The Secunia Weekly Advisory Summary
2008-05-01 - 2008-05-08

This week: 62 advisories

========================================================================
Table of Contents:

1.....................................................Word From Secunia
2....................................................This Week In Brief
3...............................This Weeks Top Ten Most Read Advisories
4.......................................Vulnerabilities Summary Listing
5.......................................Vulnerabilities Content Listing

========================================================================
1) Word From Secunia:

Secunia is pleased to announce that we are sponsoring the upcoming
Gartner IT Security Summit from June 2 to 4 in Washington, DC. The
event brings together Gartner analysts, leading executives, and
innovators to present research, case studies, and insight into the
business-critical aspect of IT.

If you would like to meet with Secunia representatives in the
conference, you can get a $400 discount off the regular registration
fee. Please contact pr@private to receive the priority code and
schedule the meeting.

========================================================================
2) This Week in Brief:

Multiple vulnerabilities in PHP have been reported, some of which have
unknown impacts and others, which can be exploited by malicious users
to bypass certain security restrictions, and potentially by malicious
people to cause a DoS (Denial of Service) or to compromise a vulnerable
system.

An unspecified error in the FastCGI SAPI can be exploited to cause a
stack-based buffer overflow.

An error in the processing of multibyte characters within the
"escapeshellcmd()" and "escapeshellarg()" functions can be exploited to
escape the inserted backslash or quote characters via certain multibyte
characters. Successful exploitation of this vulnerability allows to
bypass the "safe_mode_exec_dir" and "disable_functions" directives, and
potentially to inject arbitrary shell commands via user controlled
input, but requires that the shell uses a locale with a variable width
character (e.g. GBK, EUC-KR, SJIS).

A vulnerability is caused due to an error during path translation in
cgi_main.c. This can potentially be exploited to execute arbitrary
code, but depends on how a targeted application is using PHP.

An error in cURL can be exploited to bypass the "safe_mode" directive.

A boundary error in PCRE can potentially be exploited by malicious
people to cause a DoS or compromise a vulnerable system. This may be
related to a previously reported vulnerability in PCRE.

A weakness in the "GENERATE_SEED()" macro has also been reported.

Version 5.2.6 has been released by the developers, resolving these
issues. For more information, refer to:
http://secunia.com/advisories/30048/

--

Some vulnerabilities have been reported in the Linux kernel, which can
be exploited by malicious people to cause a DoS (Denial of Service),
and by malicious, local users to cause a DoS or to potentially gain
escalated privileges.

A race condition error exists in the dnotify subsystem between calls to
"fcntl()" and "close()". This can be exploited to cause a system crash
or potentially gain root privileges.

A boundary error in the Tehuti network driver can be exploited to
corrupt kernel memory via specially crafted "BDX_OP_WRITE" IOCTL calls.

An error exists in the implementation of the IPsec protocol. This can
be exploited to crash an affected system via fragmented ESP packets.
Successful exploitation of this vulnerability requires the ability to
manipulate network packets sent from an authenticated IPsec peer.

The vulnerabilities are resolved in Linux Kernel version 2.6.25. For
more information, refer to:
http://secunia.com/advisories/30044/

Various Linux distributions have also released kernel updates.

--

A highly critical vulnerability has been reported in multiple Adobe
products, which potentially can be exploited by malicious people to
compromise a user's system.

The vulnerability is caused due to a boundary error when handling BMP
files. This can be exploited to cause a buffer overflow via a BMP file
having a malformed header.

Successful exploitation may allow execution of arbitrary code via a
specially crafted BMP file.

Reportedly, the vulnerability can also be exploited when a malicious
storage device (e.g. USB drives, cameras) is being attached to a
vulnerable computer. It currently is unpatched.

The vulnerability is reported in Adobe Photoshop Album Starter Edition
3.2 and Adobe After Effects CS3. Other versions may also be affected.

For more information, refer to:
http://secunia.com/advisories/29838/

--

VIRUS ALERTS:

During the past week Secunia collected 167 virus descriptions from the
Antivirus vendors. However, none were deemed MEDIUM risk or higher
according to the Secunia assessment scale.

========================================================================
3) This Weeks Top Ten Most Read Advisories:

1. [SA30048] PHP Multiple Vulnerabilities
2. [SA30044] Linux Kernel Multiple Vulnerabilities
3. [SA29969] Novell GroupWise WebAccess Script Insertion
4. [SA30037] Akamai Download Manager Code Execution Vulnerability
5. [SA29976] IBM WebSphere Application Server Java Plugin Security
Bypass
6. [SA30041] Animal Shelter Manager Multiple Security Bypass
Vulnerabilities
7. [SA29985] WebGUI Data Form List View Unspecified Vulnerability
8. [SA29998] angelo-emlak Cross-Site Scripting and SQL Injection
Vulnerabilities
9. [SA30039] AstroCam "picfile" Cross-Site Scripting Vulnerability
10. [SA30018] Debian update for kernel

========================================================================
4) Vulnerabilities Summary Listing

Windows:
[SA30127] PostcardMentor "cat_fldAuto" SQL Injection Vulnerability
[SA30103] fipsCMS "lg" SQL Injection Vulnerability
[SA30128] SAP Internet Transaction Server wgate.dll Cross-Site
Scripting Vulnerability
[SA30074] SysAid "searchField" Cross-Site Scripting Vulnerability
[SA30063] Invensys Wonderware InTouch SuiteLink Service Denial of
Service

UNIX/Linux:
[SA30124] NetBSD update for OpenSSL
[SA30105] Ubuntu update for thunderbird
[SA30100] Ubuntu update for openoffice.org
[SA30073] Gentoo update for egroupware
[SA30129] Sun Solaris Tk GIF Processing Buffer Overflow
Vulnerabilities
[SA30118] rdesktop Multiple Vulnerabilities
[SA30106] Debian update for kazehakase
[SA30097] Debian update for blender
[SA30095] SIPp Two Buffer Overflow Vulnerabilities
[SA30090] Online Rental Property Script "pid" SQL Injection
[SA30078] Ubuntu update for cups
[SA30131] Sun Solaris TCP Implementation SYN Flood Denial of Service
[SA30130] Sun Ray Server Software Kiosk Mode Vulnerability
[SA30080] ChiCoMaS "q" Cross-Site Scripting Vulnerability
[SA30112] Red Hat update for kernel
[SA30099] Ubuntu update for ldm
[SA30132] HP-UX LDAP-UX Privilege Escalation Vulnerability
[SA30116] Red Hat update for kernel
[SA30114] HP-UX update for Netscape Directory Server
[SA30113] Ubuntu update for kdelibs
[SA30111] QEMU "drive_init()" Disk Format Security Bypass
[SA30110] Red Hat update for kernel
[SA30109] Ubuntu update for emacs
[SA30108] Linux Kernel Multiple Vulnerabilities
[SA30086] Sun Solaris SSH X11 Forwarding Vulnerability
[SA30093] Debian update for b2evolution
[SA30101] Linux Kernel "fcntl_setlk()" SMP Reordered Access
Vulnerability
[SA30077] rPath update for kernel

Other:


Cross Platform:
[SA30059] ITCms Arbitrary PHP Code Execution Vulnerability
[SA30123] Galleristic "cat" SQL Injection Vulnerability
[SA30122] Sun Java System Web Server / Application Server JSP
Information Disclosure
[SA30107] Musicbox "artistId" SQL Injection Vulnerability
[SA30091] mvnForum "QuickReply" Script Insertion Vulnerability
[SA30089] Auction XL "viewfaqs.php" SQL Injection Vulnerability
[SA30085] Miniweb "historymonth" SQL Injection Vulnerability
[SA30084] DeluxeBB SQL Injection and PHP Code Execution
[SA30076] PHPEasyData "cat_id" SQL Injection Vulnerability
[SA30069] Maian Greetings Cross-Site Scripting and SQL Injection
Vulnerabilities
[SA30061] Nuke ET Security Bypass and Script Insertion Vulnerabilities
[SA30058] BlogMe PHP "id" SQL Injection Vulnerability
[SA30057] SMartBlog Multiple Vulnerabilities
[SA30056] phpDirectorySource SQL Injection Vulnerabilities
[SA30133] Sun Java System Web Server Search Module Cross-Site Scripting
Vulnerability
[SA30121] Tux CMS Multiple Cross-Site Scripting Vulnerabilities
[SA30098] CMS Faethon "what" Cross-Site Scripting Vulnerability
[SA30092] LifeType "newBlogUserName" Cross-Site Scripting
[SA30082] Sphider Suggestion Feature "query" Cross-Site Scripting
Vulnerability
[SA30079] TYPO3 powermail Extension Cross-Site Scripting Vulnerability
[SA30075] LifeType "searchTerms" Cross-Site Scripting Vulnerability
[SA30070] Maian Gallery "keywords" Cross-Site Scripting Vulnerability
[SA30068] Maian Support Multiple Cross-Site Scripting Vulnerabilities
[SA30065] Maian Links Multiple Cross-Site Scripting Vulnerabilities
[SA30064] Bugzilla Security Bypass and Cross-Site Scripting
Vulnerabilities
[SA30062] Zomplog "catname" Cross-Site Scripting Vulnerability
[SA30060] Maian Weblog Multiple Cross-Site Scripting Vulnerabilities
[SA30081] IBM Rational Build Forge Denial of Service
[SA30134] MySQL MyISAM Table Privilege Check Bypass

========================================================================
5) Vulnerabilities Content Listing

Windows:--

[SA30127] PostcardMentor "cat_fldAuto" SQL Injection Vulnerability

Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2008-05-08

InjEctOr5 has reported a vulnerability in PostcardMentor, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/30127/

--

[SA30103] fipsCMS "lg" SQL Injection Vulnerability

Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2008-05-08

InjEctOr has reported a vulnerability in fipsCMS, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/30103/

--

[SA30128] SAP Internet Transaction Server wgate.dll Cross-Site
Scripting Vulnerability

Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-05-08

A vulnerability has been reported in SAP Internet Transaction Server,
which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/30128/

--

[SA30074] SysAid "searchField" Cross-Site Scripting Vulnerability

Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-05-05

Yogesh Kulkarni has discovered a vulnerability in SysAid, which can be
exploited by malicious people to conduct cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/30074/

--

[SA30063] Invensys Wonderware InTouch SuiteLink Service Denial of
Service

Critical: Less critical
Where: From local network
Impact: DoS
Released: 2008-05-06

Core Security Technologies has reported a vulnerability in Invensys
Wonderware InTouch, which can be exploited by malicious people to cause
a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/30063/


UNIX/Linux:--

[SA30124] NetBSD update for OpenSSL

Critical: Highly critical
Where: From remote
Impact: DoS, System access
Released: 2008-05-08

NetBSD has issued an update for OpenSSL. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service) and compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/30124/

--

[SA30105] Ubuntu update for thunderbird

Critical: Highly critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting, System access
Released: 2008-05-07

Ubuntu has issued an update for thunderbird. This fixes some
vulnerabilities, which can be exploited by malicious people to bypass
certain security restrictions, conduct cross-site scripting attacks, or
potentially compromise a user's system.

Full Advisory:
http://secunia.com/advisories/30105/

--

[SA30100] Ubuntu update for openoffice.org

Critical: Highly critical
Where: From remote
Impact: System access
Released: 2008-05-07

Ubuntu has issued an update for openoffice.org. This fixes some
vulnerabilities, which can be exploited by malicious people to
compromise a user's system.

Full Advisory:
http://secunia.com/advisories/30100/

--

[SA30073] Gentoo update for egroupware

Critical: Highly critical
Where: From remote
Impact: Security Bypass, System access
Released: 2008-05-08

Gentoo has issued an update for egroupware. This fixes a vulnerability,
which can be exploited by malicious people to bypass certain security
restrictions and compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/30073/

--

[SA30129] Sun Solaris Tk GIF Processing Buffer Overflow
Vulnerabilities

Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2008-05-08

Sun has acknowledged some vulnerabilities in the Tcl GUI Toolkit
Library included in Solaris, which can be exploited by malicious people
to compromise an application using the library.

Full Advisory:
http://secunia.com/advisories/30129/

--

[SA30118] rdesktop Multiple Vulnerabilities

Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2008-05-08

Some vulnerabilities have been reported in rdesktop, which can be
exploited by malicious people to compromise a user's system.

Full Advisory:
http://secunia.com/advisories/30118/

--

[SA30106] Debian update for kazehakase

Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information, DoS, System access
Released: 2008-05-07

Debian has issued an update for kazehakase. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service), disclose potentially sensitive information,
and compromise a user's system.

Full Advisory:
http://secunia.com/advisories/30106/

--

[SA30097] Debian update for blender

Critical: Moderately critical
Where: From remote
Impact: System access
Released: 2008-05-06

Debian has issued an update for blender. This fixes a vulnerability,
which can be exploited by malicious people to compromise a vulnerable
system.

Full Advisory:
http://secunia.com/advisories/30097/

--

[SA30095] SIPp Two Buffer Overflow Vulnerabilities

Critical: Moderately critical
Where: From remote
Impact: DoS, System access
Released: 2008-05-06

Two vulnerabilities have been reported in SIPp, which can be exploited
by malicious people to cause a DoS (Denial of Service) or to
potentially compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/30095/

--

[SA30090] Online Rental Property Script "pid" SQL Injection

Critical: Moderately critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information
Released: 2008-05-06

M.Hasran Addahroni has reported a vulnerability in Online Rental
Property Script, which can be exploited by malicious people to conduct
SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/30090/

--

[SA30078] Ubuntu update for cups

Critical: Moderately critical
Where: From local network
Impact: System access
Released: 2008-05-06

Ubuntu has issued an update for cups. This fixes a vulnerability, which
potentially can be exploited by malicious people to compromise a
vulnerable system.

Full Advisory:
http://secunia.com/advisories/30078/

--

[SA30131] Sun Solaris TCP Implementation SYN Flood Denial of Service

Critical: Less critical
Where: From remote
Impact: DoS
Released: 2008-05-08

A vulnerability has been reported in Sun Solaris, which can be
exploited by malicious people to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/30131/

--

[SA30130] Sun Ray Server Software Kiosk Mode Vulnerability

Critical: Less critical
Where: From remote
Impact: System access
Released: 2008-05-08

A vulnerability has been reported in Sun Ray Server Software, which can
be exploited by malicious users to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/30130/

--

[SA30080] ChiCoMaS "q" Cross-Site Scripting Vulnerability

Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-05-05

Hadi Kiamarsi has discovered a vulnerability in ChiCoMaS, which can be
exploited by malicious people to conduct cross site scripting attacks.

Full Advisory:
http://secunia.com/advisories/30080/

--

[SA30112] Red Hat update for kernel

Critical: Less critical
Where: From local network
Impact: Exposure of system information, Exposure of sensitive
information, Privilege escalation, DoS
Released: 2008-05-07

Red Hat has issued an update for the kernel. This fixes some
vulnerabilities, which can be exploited by malicious people to cause a
DoS (Denial of Service), and by malicious, local users to cause a DoS,
disclose potentially sensitive information, or gain escalated
privileges.

Full Advisory:
http://secunia.com/advisories/30112/

--

[SA30099] Ubuntu update for ldm

Critical: Less critical
Where: From local network
Impact: Exposure of system information, Exposure of sensitive
information
Released: 2008-05-07

Ubuntu has issued an update for ldm. This fixes a security issue, which
can be exploited by malicious people to disclose sensitive information.

Full Advisory:
http://secunia.com/advisories/30099/

--

[SA30132] HP-UX LDAP-UX Privilege Escalation Vulnerability

Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2008-05-08

A vulnerability has been reported in HP-UX, which can be exploited by
malicious, local users to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/30132/

--

[SA30116] Red Hat update for kernel

Critical: Less critical
Where: Local system
Impact: Exposure of system information, Exposure of sensitive
information, Privilege escalation, DoS
Released: 2008-05-07

Red Hat has issued an update for the kernel. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
cause a DoS (Denial of Service), disclose potentially sensitive
information, or gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/30116/

--

[SA30114] HP-UX update for Netscape Directory Server

Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2008-05-07

HP-UX has issued an update for Netscape Directory Server (NDS). This
fixes a vulnerability, which can be exploited by malicious, local users
to gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/30114/

--

[SA30113] Ubuntu update for kdelibs

Critical: Less critical
Where: Local system
Impact: Privilege escalation, DoS
Released: 2008-05-07

Ubuntu has issued an update for kdelibs. This fixes a vulnerability,
which can be exploited by malicious, local users to cause a DoS (Denial
of Service) or to potentially gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/30113/

--

[SA30111] QEMU "drive_init()" Disk Format Security Bypass

Critical: Less critical
Where: Local system
Impact: Security Bypass
Released: 2008-05-08

A vulnerability has been reported in QEMU, which can be exploited by
malicious, local users to bypass certain security restrictions.

Full Advisory:
http://secunia.com/advisories/30111/

--

[SA30110] Red Hat update for kernel

Critical: Less critical
Where: Local system
Impact: Exposure of sensitive information, Privilege escalation,
DoS
Released: 2008-05-07

Red Hat has issued an update for the kernel. This fixes some
vulnerabilities, which can be exploited by malicious, local users to
cause a DoS (Denial of Service), disclose potentially sensitive
information, or gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/30110/

--

[SA30109] Ubuntu update for emacs

Critical: Less critical
Where: Local system
Impact: Privilege escalation
Released: 2008-05-07

Ubuntu has issued an update for emacs. This fixes some security issues,
which can be exploited by malicious, local users to perform certain
actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/30109/

--

[SA30108] Linux Kernel Multiple Vulnerabilities

Critical: Less critical
Where: Local system
Impact: Privilege escalation, DoS
Released: 2008-05-07

Some vulnerabilities have been reported in the Linux kernel, which can
be exploited by malicious people to cause a DoS (Denial of Service) or
to potentially gain escalated privileges.

Full Advisory:
http://secunia.com/advisories/30108/

--

[SA30086] Sun Solaris SSH X11 Forwarding Vulnerability

Critical: Less critical
Where: Local system
Impact: Exposure of sensitive information, Privilege escalation
Released: 2008-05-07

Sun has acknowledged a vulnerability in SSH included in Sun Solaris,
which can be exploited by malicious, local users to disclose sensitive
information or potentially perform actions with escalated privileges.

Full Advisory:
http://secunia.com/advisories/30086/

--

[SA30093] Debian update for b2evolution

Critical: Not critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-05-06

Debian has issued an update for b2evolution. This fixes a
vulnerability, which can be exploited by malicious people to conduct
cross-site scripting attacks.

Full Advisory:
http://secunia.com/advisories/30093/

--

[SA30101] Linux Kernel "fcntl_setlk()" SMP Reordered Access
Vulnerability

Critical: Not critical
Where: Local system
Impact: DoS
Released: 2008-05-07

A vulnerability has been reported in the Linux kernel, which can be
exploited by malicious, local users to cause a DoS (Denial of
Service).

Full Advisory:
http://secunia.com/advisories/30101/

--

[SA30077] rPath update for kernel

Critical: Not critical
Where: Local system
Impact: DoS
Released: 2008-05-08

rPath has issued an update for the kernel. This can be exploited by
malicious, local users to cause a DoS (Denial of Service).

Full Advisory:
http://secunia.com/advisories/30077/


Other:


Cross Platform:--

[SA30059] ITCms Arbitrary PHP Code Execution Vulnerability

Critical: Highly critical
Where: From remote
Impact: System access
Released: 2008-05-06

Cod3rZ has reported a vulnerability in ITCms, which can be exploited by
malicious people to compromise a vulnerable system.

Full Advisory:
http://secunia.com/advisories/30059/

--

[SA30123] Galleristic "cat" SQL Injection Vulnerability

Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2008-05-08

cOndemned has discovered a vulnerability in Galleristic, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/30123/

--

[SA30122] Sun Java System Web Server / Application Server JSP
Information Disclosure

Critical: Moderately critical
Where: From remote
Impact: Exposure of sensitive information
Released: 2008-05-08

Sun has acknowledged a vulnerability in Sun Java System Web Server and
Sun Java System Application Server, which can be exploited by malicious
people to disclose certain sensitive information.

Full Advisory:
http://secunia.com/advisories/30122/

--

[SA30107] Musicbox "artistId" SQL Injection Vulnerability

Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2008-05-08

HaCkeR-EgY has reported a vulnerability in Musicbox, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/30107/

--

[SA30091] mvnForum "QuickReply" Script Insertion Vulnerability

Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-05-08

Christian Holler has reported a vulnerability in mvnForum, which can be
exploited by malicious users to conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/30091/

--

[SA30089] Auction XL "viewfaqs.php" SQL Injection Vulnerability

Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2008-05-06

M.Hasran Addahroni has reported a vulnerability in Auction XL, which
can be exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/30089/

--

[SA30085] Miniweb "historymonth" SQL Injection Vulnerability

Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2008-05-06

HaCkeR-EgY has reported a vulnerability in Miniweb, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/30085/

--

[SA30084] DeluxeBB SQL Injection and PHP Code Execution

Critical: Moderately critical
Where: From remote
Impact: Manipulation of data, System access
Released: 2008-05-06

EgiX has discovered two vulnerabilities in DeluxeBB, which can be
exploited by malicious users to compromise a vulnerable system and by
malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/30084/

--

[SA30076] PHPEasyData "cat_id" SQL Injection Vulnerability

Critical: Moderately critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information
Released: 2008-05-07

InjEctOr and ToTaL have discovered a vulnerability in PHPEasyData,
which can be exploited by malicious people to conduct SQL injection
attacks.

Full Advisory:
http://secunia.com/advisories/30076/

--

[SA30069] Maian Greetings Cross-Site Scripting and SQL Injection
Vulnerabilities

Critical: Moderately critical
Where: From remote
Impact: Cross Site Scripting, Manipulation of data
Released: 2008-05-08

Khashayar Fereidani has reported some vulnerabilities in Maian
Greetings, which can be exploited by malicious people to conduct
cross-site scripting or SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/30069/

--

[SA30061] Nuke ET Security Bypass and Script Insertion Vulnerabilities

Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Cross Site Scripting
Released: 2008-05-07

mrzayas has reported some vulnerabilities in Nuke ET, which can be
exploited by malicious people to bypass certain security restrictions
or conduct script insertion attacks.

Full Advisory:
http://secunia.com/advisories/30061/

--

[SA30058] BlogMe PHP "id" SQL Injection Vulnerability

Critical: Moderately critical
Where: From remote
Impact: Manipulation of data
Released: 2008-05-05

His0k4 has discovered a vulnerability in BlogMe PHP, which can be
exploited by malicious people to conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/30058/

--

[SA30057] SMartBlog Multiple Vulnerabilities

Critical: Moderately critical
Where: From remote
Impact: Manipulation of data, Exposure of sensitive information
Released: 2008-05-05

Some vulnerabilities have been discovered in SMartBlog, which can be
exploited by malicious people to disclose potentially sensitive
information and conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/30057/

--

[SA30056] phpDirectorySource SQL Injection Vulnerabilities

Critical: Moderately critical
Where: From remote
Impact: Security Bypass, Manipulation of data, Exposure of
sensitive information
Released: 2008-05-05

InjEctOr and FishEr762 have discovered two vulnerabilities in
phpDirectorySource, which can be exploited by malicious people to
conduct SQL injection attacks.

Full Advisory:
http://secunia.com/advisories/30056/

--

[SA30133] Sun Java System Web Server Search Module Cross-Site Scripting
Vulnerability

Critical: Less critical
Where: From remote
Impact: Cross Site Scripting
Released: 2008-05-08

Sun has acknowledged a vulnerability in Sun Java System Web Server,
which can be exploited by malicious people to conduct cross-site
scripting attacks.

Full Advisory:
http://secunia.com/advisories/30133/

--
...
]]> Fri, 9 May 2008 07:47:40 -0500 (CDT) InfoSec News http://lists.jammed.com/ISN/2008/05/0048.html +------------------------------------------------------------------------+
| LinuxSecurity.com Weekly Newsletter |
| May 9th, 2008 Volume 9, Number 19 |
| |
| Editorial Team: Dave Wreski <dwreski@private> |
| Benjamin D. Thomas <bthomas@private> |
+------------------------------------------------------------------------+

Thank you for reading the LinuxSecurity.com weekly security newsletter.
The purpose of this document is to provide our readers with a quick
summary of each week's most relevant Linux security headlines.

This week security advisories were issued for CUPS, Emacs, KDE, LTSP,
OpenOffice.org, b2evolution, blender, cacti, cpio, gpdf, kazehakase,
kdelibs, kernel, mozilla-thunderbird, openssh, php, roundup, wordpress,
and multiple X11 terminals. The distributors included Debian, Gentoo,
Mandriva, Red Hat, Slackware, and Ubuntu.

---

>> Linux+DVD Magazine <<

Our magazine is read by professional network and database administrators,
system programmers, webmasters and all those who believe in the power of
Open Source software. The majority of our readers is between 15 and 40
years old. They are interested in current news from the Linux world,
upcoming projects etc.

In each issue you can find information concerning typical use of Linux:
safety, databases, multimedia, scientific tools, entertainment,
programming, e-mail, news and desktop environments.

http://www.linuxsecurity.com/ads/adclick.php?bannerid=3D26

---

Review: The Book of Wireless
----------------------------
=93The Book of Wireless=94 by John Ross is an answer to the problem of
learning about wireless networking. With the wide spread use of Wireless
networks today anyone with a computer should at least know the basics of
wireless. Also, with the wireless networking, users need to know how to
protect themselves from wireless networking attacks.

http://www.linuxsecurity.com/content/view/136167

---

April 2008 Open Source Tool of the Month: sudo
----------------------------------------------
This month the editors at LinuxSecurity.com have chosen sudo as the Open
Source Tool of the Month!

http://www.linuxsecurity.com/content/view/135868

--> Take advantage of the LinuxSecurity.com Quick Reference Card! <--
--> http://www.linuxsecurity.com/docs/QuickRefCard.pdf <--

--------------------------------------------------------------------------

* EnGarde Secure Community 3.0.19 Now Available! (Apr 15)
-------------------------------------------------------
Guardian Digital is happy to announce the release of EnGarde Secure
Community 3.0.19 (Version 3.0, Release 19). This release includes many
updated packages and bug fixes and some feature enhancements to the
EnGarde Secure Linux Installer and the SELinux policy.

http://www.linuxsecurity.com/content/view/136174

--------------------------------------------------------------------------

* Debian: New kazehakase packages fix execution of arbitrary (May 6)
------------------------------------------------------------------
The PCRE library has been updated to fix the security issues reported
against it in previous Debian Security Advisories. This update ensures
that kazehakase uses that supported library, and not its own embedded
and insecure version.

http://www.linuxsecurity.com/content/view/136706

* Debian: New roundup packages fix regression (May 6)
---------------------------------------------------
Roundup, an issue tracking system, fails to properly escape HTML input,
allowing an attacker to inject client-side code (typically JavaScript)
into a document that may be viewed in the victim's browser.

http://www.linuxsecurity.com/content/view/136702

* Debian: New cacti packages fix regression (May 6)
-------------------------------------------------
It was discovered that Cacti, a systems and services monitoring
frontend, performed insufficient input sanitising, leading to cross
site scripting and SQL injection being possible.

http://www.linuxsecurity.com/content/view/136701

* Debian: New cacti packages fix multiple vulnerabilities (May 5)
---------------------------------------------------------------
It was discovered that Cacti, a systems and services monitoring
frontend, performed insufficient input sanitising, leading to cross
site scripting and SQL injection being possible.

http://www.linuxsecurity.com/content/view/136698

* Debian: New b2evolution packages fix cross site scripting (May 5)
-----------------------------------------------------------------
"unsticky" discovered that b2evolution, a blog engine, performs
insufficient input sanitising, allowing for cross site scripting.

http://www.linuxsecurity.com/content/view/136697

* Debian: New blender packages fix arbitrary code execution (May 5)
-----------------------------------------------------------------
Stefan Cornelius discovered a vulnerability in the Radiance High
Dynamic Range (HDR) image parser in Blender, a 3D modelling
application.=09The weakness could enable a stack-based buffer overflow
and the execution of arbitrary code if a maliciously-crafted HDR file
is opened, or if a directory containing such a file is browsed via
Blender's image-open dialog.

http://www.linuxsecurity.com/content/view/136696

* Debian: New cpio packages fix denial of service (May 2)
-------------------------------------------------------
Dmitry Levin discovered a vulnerability in path handling code used by
the cpio archive utility. The weakness could enable a denial of
service (crash) or potentially the execution of arbitrary code if a
vulnerable version of cpio is used to extract or to list the contents
of a maliciously crafted archive.

http://www.linuxsecurity.com/content/view/136691

* Debian: New Linux 2.6.18 packages fix several vulnerabilities (May 1)
---------------------------------------------------------------------
Several local vulnerabilities have been discovered in the Linux kernel
that may lead to a denial of service or the execution of arbitrary
code. The Common Vulnerabilities and Exposures project identifies the
following problems:

http://www.linuxsecurity.com/content/view/136688

* Debian: New wordpress packages fix several vulnerabilities (May 1)
------------------------------------------------------------------
Several remote vulnerabilities have been discovered in wordpress, a
weblog manager. The Common Vulnerabilities and Exposures project
identifies the following problems: Insufficient input sanitising
allowed for remote attackers to redirect visitors to external
websites.

http://www.linuxsecurity.com/content/view/136687

--------------------------------------------------------------------------

* Gentoo: Multiple X11 terminals Local privilege escalation (May 7)
-----------------------------------------------------------------
A vulnerability was found in aterm, Eterm, Mrxvt, multi-aterm, RXVT,
rxvt-unicode, and wterm, allowing for local privilege escalation.

http://www.linuxsecurity.com/content/view/136718

--------------------------------------------------------------------------

* Mandriva: Updated openssh packages fix vulnerability (May 6)
------------------------------------------------------------
A vulnerability in OpenSSH 4.4 through 4.8 allowed local attackers to
bypass intended security restrictions enabling them to execute commands
other than those specified by the ForceCommand directive, provided they
are able to modify to ~/.ssh/rc (CVE-2008-1657). The updated packages
have been patched to correct this issue.

http://www.linuxsecurity.com/content/view/136710

* Mandriva: Updated kdelibs packages fix vulnerability in (May 6)
---------------------------------------------------------------
A vulnerability was found in start_kdeinit in KDE 3.5.5 through 3.5.9
where, if it was installed setuid root, it could allow local users to
cause a denial of service or possibly execute arbitrary code
(CVE-2008-1671). By default, start_kdeinit is not installed setuid root
on Mandriva Linux, however updated packages have been patched to
correct this issue.

http://www.linuxsecurity.com/content/view/136709

* Mandriva: Updated emacs packages fix vulnerability in vcdiff (May 6)
--------------------------------------------------------------------
Steve Grubb found that the vcdiff script in Emacs create temporary
files insecurely when used with SCCS. A local user could exploit a
race condition to create or overwrite files with the privileges of the
user invoking the program (CVE-2008-1694). The updated packages have
been patched to correct this issue.

http://www.linuxsecurity.com/content/view/136708

* Mandriva: Updated OpenOffice.org packages fix (May 2)
-----------------------------------------------------
A vulnerability in HSQLDB before 1.8.0.9 in OpenOffice.org could allow
user-assisted remote attackers to execute arbitrary Java code via
crafted database documents (CVE-2007-4575).

http://www.linuxsecurity.com/content/view/136692

--------------------------------------------------------------------------

* RedHat: Important: gpdf security update (May 8)
-----------------------------------------------
Kees Cook discovered a flaw in the way gpdf displayed malformed fonts
embedded in PDF files. An attacker could create a malicious PDF file
that would cause gpdf to crash, or, potentially, execute arbitrary code
when opened. (CVE-2008-1693)

http://www.linuxsecurity.com/content/view/136721

* RedHat: Important: kernel security and bug fix update (May 7)
-------------------------------------------------------------
Updated kernel packages that fix various security issues and several
bugs are now available for Red Hat Enterprise Linux 3. This update has
been rated as having important security impact by the Red Hat Security
Response Team.

http://www.linuxsecurity.com/content/view/136713

* RedHat: Important: kernel security and bug fix update (May 7)
-------------------------------------------------------------
Updated kernel packages that fix various security issues and several
bugs are now available for Red Hat Enterprise Linux 5. This update has
been rated as having important security impact by the Red Hat Security
Response Team.

http://www.linuxsecurity.com/content/view/136714

* RedHat: Important: kernel security and bug fix update (May 7)
-------------------------------------------------------------
Updated kernel packages that fix various security issues and several
bugs are now available for Red Hat Enterprise Linux 4. This update has
been rated as having important security impact by the Red Hat Security
Response Team.

http://www.linuxsecurity.com/content/view/136715

--------------------------------------------------------------------------

* Slackware: php (May 8)
------------------------
New php packages are available for Slackware 10.2, 11.0, 12.0, 12.1,
and -current to fix security issues. Note that PHP5 is not the default
PHP for Slackware 10.2 or 11.0 (those use PHP4), so if your PHP code is
not ready for PHP5, don't upgrade until it is or you'll (by definition)
run into problems. More details about one of the issues may be found in
the Common Vulnerabilities and Exposures (CVE) database:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2008-0599

http://www.linuxsecurity.com/content/view/136719

* Slackware: mozilla-thunderbird (May 8)
----------------------------------------
New mozilla-thunderbird packages are available for Slackware 10.2,
11.0, 12.0, 12.1, and -current to fix security issues, including
crashes that can corrupt memory, as well as a JavaScript privilege
escalation and arbitrary code execution flaw. More details about these
issues may be found here:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#thu
nderbird

http://www.linuxsecurity.com/content/view/136720

--------------------------------------------------------------------------

* Ubuntu: LTSP vulnerability (May 7)
-----------------------------------
Christian Herzog discovered that it was possible to connect to any LTSP
client's X session over the network.=09A remote attacker could eavesdrop
on X events, read window contents, and record keystrokes, possibly
gaining access to private information.

http://www.linuxsecurity.com/content/view/136712

* Ubuntu: OpenOffice.org vulnerabilities (May 7)
-----------------------------------------------
It was discovered that arbitrary Java methods were not filtered out
when opening databases in OpenOffice.org. If a user were tricked into
running a specially crafted query, a remote attacker could execute
arbitrary Java with user privileges. (CVE-2007-4575)

http://www.linuxsecurity.com/content/view/136711

* Ubuntu: Thunderbird vulnerabilities (May 6)
--------------------------------------------
Various flaws were discovered in the JavaScript engine. If a user had
JavaScript enabled and were tricked into opening a malicious email, an
attacker could escalate privileges within Thunderbird, perform
cross-site scripting attacks and/or execute arbitrary code with the
user's privileges.

http://www.linuxsecurity.com/content/view/136707

* Ubuntu: KDE vulnerability (May 6)
----------------------------------
It was discovered that start_kdeinit in KDE 3 did not properly sanitize
its input. A local attacker could exploit this to send signals to other
processes and cause a denial of service or possibly execute arbitrary
code. (CVE-2008-1671)

http://www.linuxsecurity.com/content/view/136703

* Ubuntu: Emacs vulnerabilities (May 6)
--------------------------------------
It was discovered that Emacs did not account for precision when
formatting integers. If a user were tricked into opening a specially
crafted file, an attacker could cause a denial of service or possibly
other unspecified actions. This issue does not affect Ubuntu 8.04.
(CVE-2007-6109) Steve Grubb discovered that the vcdiff script as
included in Emacs created temporary files in an insecure way when used
with SCCS. Local users could exploit a race condition to create or
overwrite files with the privileges of the user invoking the program.
(CVE-2008-1694)

http://www.linuxsecurity.com/content/view/136704

* Ubuntu: CUPS vulnerability (May 5)
-----------------------------------
Thomas Pollet discovered that CUPS did not properly validate the size
of PNG images. A local attacker, and a remote attacker if printer
sharing is enabled, could send a crafted file and cause a denial of
service or possibly execute arbitrary code as the non-root user in
Ubuntu 6.06 LTS and 7.04. In Ubuntu 7.10, attackers would be isolated
by the AppArmor CUPS profile. (CVE-2008-1722)

http://www.linuxsecurity.com/content/view/136695

------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com

To unsubscribe email newsletter-request@private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------


_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com

]]> Mon, 12 May 2008 03:23:31 -0500 (CDT) InfoSec News http://lists.jammed.com/ISN/2008/05/0057.html http://blog.wired.com/27bstroke6/2008/05/air-force-col-w.html

By Kevin Poulsen
Threat Level
Wired.com
May 12, 2008

While most government agencies are struggling to keep their computers
out of the latest Russian botnets, Col. Charles W. Williamson III is
proposing that the Air Force build its own zombie network, so it can
launch distributed denial of service attacks on foreign enemies.

In the most lunatic idea to come out of the military since the gay bomb,
Williamson writes in the Armed Force Journal that the Air Force should
deliberately install DDoS code on its unclassified computers, as well as
civilian government machines. He even wants to rescue old machines from
the junk bin to enlist in the .mil botnet army.

The U.S. would not, and need not, infect unwitting computers as
zombies. We can build enough power over time from our own resources.

Rob Kaufman, of the Air Force Information Operations Center,
suggests mounting botnet code on the Air Force.s high-speed
intrusion-detection systems. Defensively, that allows a quick
response by directly linking our counterattack to the system that
detects an incoming attack. The systems also have enough processing
speed and communication capacity to handle large amounts of traffic.

Next, in what is truly the most inventive part of this concept, Lt.
Chris Tollinger of the Air Force Intelligence, Surveillance and
Reconnaissance Agency envisions continually capturing the thousands
of computers the Air Force would normally discard every year for
technology refresh, removing the power-hungry and heat-inducing hard
drives, replacing them with low-power flash drives, then installing
them in any available space every Air Force base can find. Even
though those computers may no longer be sufficiently powerful to
work for our people, individual machines need not be cutting-edge
because the network as a whole can create massive power.

After that, the Air Force could add botnet code to all its desktop
computers attached to the Nonsecret Internet Protocol Network
(NIPRNet). Once the system reaches a level of maturity, it can add
other .mil computers, then .gov machines.

Brilliant! The best defensive minds in the country want to build a
massive distributed computing system to do nothing but pump crap into
the internet. The article talks about carefully targeting attackers'
machines, but this ignores all the intermediate networks between the Air
Force and the target, which will have to contend with a flood of garbage
packets whenever some cyber Dr. Strangelove decides to go nuclear.

What's next? Air Force 4-1-9 scams? Dot mil phishing attacks? The most
disappointing thing about this irresponsible proposal is the tacit
admission that our elite cyber warriors can't actually break into an
enemy's computer, instead resorting to a brute force attack designed by
web defacement script kiddies eight years ago when Apache servers got
too hard to hack directly.

Update:

Reader A.E. Mouse says,

You all obviously don't really know anything about cyberwarfare.
Including you Kevin. Having this type of capability is essential to
IW [infowar] operations. Whether or not we actually need a "botnet"
to do it is inconsequential. DDoS attacks can be very useful when
used in a coordinated IW attack on enemy communications and network
infrastructure.

In addition our relatively unsophisticated enemies have this
capability. DDoS, while admittedly juvenile and "last resort", can
be an effective tool. The reciprocity doctrine here applies. If the
enemy has one, we need one too, a bigger one. The internet is a new
battleground. All weapon types are on the table.

I'm sure that DDoS attacks could be useful to the military under certain
circumstances. So could sending our enemies a bunch of unwanted magazine
subscriptions, or ordering them dozens of pizzas with anchovies and
pineapple (blech). But adults don't do that sort of thing.

The internet is a community venture, and DDoS is vandalism against the
community. There's no such thing as pinpoint targeting in a DDoS attack;
innocent civilian infrastructure is impacted every time.

Basically, Col. Williamson has noticed that there are bad guys in the
swimming pool, and his solution is to piss in their general direction.
That's the kind of behavior that rightly gets you kicked out of the pool
and sent home for the summer.


_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com

]]> Tue, 13 May 2008 03:26:12 -0500 (CDT) InfoSec News http://lists.jammed.com/ISN/2008/05/0043.html http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9083718

By Brian Fonseca
May 7, 2008
Computerworld

Researchers who extracted data from a hard drive onboard the ill-fated
space shuttle Columbia say the device was so thoroughly damaged in the
shuttle's fiery crash that it just looked like a cracked "hunk of metal"
when it appeared at their door six months later.

Data recovery specialists at Kroll Ontrack Inc. painstakingly retrieved
99% of the information stored on the charred 400MB Seagate hard drive's
2.5-in. platters over a two day period after the device was discovered
six months after the 2003 shuttle crash. The device was found in a dried
up lake bed along the shuttle's debris area.

The successful retrieval of the data was disclosed in the April, 2008,
issue of the Physical Review E journal, which published data from tests
performed by the shuttle astronauts on the critical viscosity of xenon
gas, according to published reports. The results of the tests were
stored on the disk and retrieved by Kroll.

The Columbia disintegrated upon re-entry into the Earth's atmosphere on
Feb. 1, 2003, killing all seven crew members and scattering debris
across Texas and Louisiana. Investigators determined that a piece of
foam that became dislodged after launch damaged the ship's thermal
protection system, leading to an uncontrolled buildup of heat, which
destroyed the spacecraft.

At the time of the accident, the shuttle was returning from a 16-day
mission to conduct a variety of atmospheric scientific experiments. One
of those tests was an experiment for the National Institute of Standards
and Technology to determine how xenon gas flows in a zero gravity
environment. Information about that test was discovered intact on the
damaged drive, said Jon Edwards, a senior clean room engineer at Kroll.

Edwards said the circuit board on the bottom of the drive was "burned
almost beyond recognition" and that all of its components had fallen
off. Every piece of plastic on the model ST9385AG hard drive melted, he
noted, and all the electronic chips inside had burned and come loose.

Edwards said the Seagate hard drive -- which was about eight years old
in 2003 -- featured much greater fault tolerance and durability than
current hard drives of similar capacity.

Two other hard drives aboard the Columbia were so severely damaged that
it was impossible to extract any usable data, he added.

Before recovery could begin, a great deal of dirt and other debris had
to be cleaned from the storage device. A rubber seal at the top of the
hard drive was completely burned off enabling dirt and charred elements
to enter the casing. Everything but the drive's platters were virtually
unusable, remarked Edwards

"The heads were bent and they were touching where they shouldn't have,
so we had to carefully cut and bend metal away from the platters to get
them out without causing more damage," said Edwards.

Once cleaned, the platters were placed into a spare drive and carefully
aligned with a new motor. Because the original circuit board was
destroyed, Kroll had to use trial and error to determine which firmware
was needed for the device.

Although damage to the drive worsened once the team got it up and
running, the data recovery specialists retrieved 99% of the drive's
DOS-formatted contents. "It was only a couple hundred megabytes of data,
which isn't much by today's terms, but the data [the drive] contained
was very valuable," noted Edwards.


_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com

]]> Fri, 9 May 2008 07:49:24 -0500 (CDT) InfoSec News http://lists.jammed.com/ISN/2008/05/0052.html http://www.pcworld.com/businesscenter/article/145703/hackers_find_a_new_place_to_hide_rootkits.html

By Robert McMillan
IDG News Service
May 09, 2008

Security researchers have developed a new type of malicious rootkit
software that hides itself in an obscure part of a computer's
microprocessor, hidden from current antivirus products.

Called a System Management Mode (SMM) rootkit, the software runs in a
protected part of a computer's memory that can be locked and rendered
invisible to the operating system, but which can give attackers a
picture of what's happening in a computer's memory.

The SMM rootkit comes with keylogging and communications software and
could be used to steal sensitive information from a victim's computer.
It was built by Shawn Embleton and Sherri Sparks, who run an Oviedo,
Florida, security company called Clear Hat Consulting.

The proof-of-concept software will be demonstrated publicly for the
first time at the Black Hat security conference in Las Vegas this
August.

The rootkits used by cyber crooks today are sneaky programs designed to
cover up their tracks while they run in order to avoid detection.
Rootkits hit the mainstream in late 2005 when Sony BMG Music used
rootkit techniques to hide its copy protection software. The music
company was ultimately forced to recall millions of CDs amid the ensuing
scandal.

In recent years, however, researchers have been looking at ways to run
rootkits outside of the operating system, where they are much harder to
detect. For example, two years ago researcher Joanna Rutkowska
introduced a rootkit called Blue Pill, which used AMD's chip-level
virtualization technology to hide itself. She said the technology could
eventually be used to create "100 percent undetectable malware."

"Rootkits are going more and more toward the hardware," said Sparks, who
wrote another rootkit three years ago called Shadow Walker. "The deeper
into the system you go, the more power you have and the harder it is to
detect you."

Blue Pill took advantage of new virtualization technologies that are now
being added to microprocessors, but the SMM rootkit uses a feature that
has been around for much longer and can be found in many more machines.
SMM dates back to Intel's 386 processors, where it was added as a way to
help hardware vendors fix bugs in their products using software. The
technology is also used to help manage the computer's power management,
taking it into sleep mode, for example.

In many ways, an SMM rootkit, running in a locked part of memory, would
be more difficult to detect than Blue Pill, said John Heasman, director
of research with NGS Software, a security consulting firm. "An SMM
rootkit has major ramifications for things like [antivirus software
products]," he said. "They will be blind to it."

Researchers have suspected for several years that malicious software
could be written to run in SMM. In 2006, researcher Loic Duflot
demonstrated how SMM malware would work. "Duflot wrote a small SMM
handler that compromised the security model of the OS," Embleton said.
"We took the idea further by writing a more complex SMM handler that
incorporated rootkit-like techniques."

In addition to a debugger, Sparks and Embleton had to write driver code
in hard-to-use assembly language to make their rootkit work. "Debugging
it was the hardest thing," Sparks said.

Being divorced from the operating system makes the SMM rootkit stealthy,
but it also means that hackers have to write this driver code expressly
for the system they are attacking.

"I don't see it as a widespread threat, because it's very
hardware-dependent," Sparks said. "You would see this in a targeted
attack."

But will it be 100 percent undetectable? Sparks says no. "I'm not saying
it's undetectable, but I do think it would be difficult to detect." She
and Embleton will talk more about detection techniques during their
Black Hat session, she said.

Brand new rootkits don't come along every day, Heasman said. "It will be
one of the most interesting, if not the most interesting, at Black Hat
this year," he said.


_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com

]]> Mon, 12 May 2008 03:24:33 -0500 (CDT) InfoSec News http://lists.jammed.com/ISN/2008/05/0049.html http://www.wired.com/politics/security/news/2008/05/nsa_cyberwargames

By David Axe
Wired.com
05.10.08

Five hours into their assault on West Point, the hackers got serious.

The SQL [structured query language] inserts that came earlier were just
pablum intended to lull the Army cadets into a false sense of security.
But then the bad guys unleashed a stealthy kernel-level rootkit that
burrowed into one workstation, started scraping data and "calling home."

It was a highly sophisticated attack, but this time the bad guys were
really good guys in wolves' clothing.

For four days in late April, the National Security Agency -- the
nation's most secretive repository of spooks, snoops and electronic
eavesdroppers -- directed coordinated assaults on custom-built networks
at seven of the nation's military academies, including West Point, the
Army university 50 miles north of New York City.

It was all part of the seventh annual Cyber Defense Exercise, a training
event for future military IT specialists. The exercise offered a rare
window into the NSA's toolkit for infiltrating, corrupting or destroying
computer networks.

The 34 Army cadets comprising the West Point IT team operated in a
different kind of battlefield, but their combat skills and instincts
need to be every bit as sharp. Like George Washington said: "There is
nothing so likely to produce peace as to be well prepared to meet the
enemy."

The SQL injections, targeting their Fedora Core 8 Web server, were a
piece of cake for these IT combatants. Each injection tried to smuggle
malicious code inside the seemingly harmless language used by the
network.s MySQL software. The cadets handily defended with open source
Apache web server modules, plus some manual tweaking of the SQL database
to "avoid any surprises," in the words of Lt Col. Joe Adams, a West
Point instructor who helped coach the team.

But the kernel-level rootkit was much more dangerous. This stealthy
operating-system hijacker can open unseen "back doors" into even highly
protected networks. When they detected the rootkit's "calls home" the
cadets launched Sysinternal's security software to find the hijacker,
then they manually scoured the workstation to find the unwelcome
executable file.

Then they terminated it. With extreme prejudice.

"This was probably the most challenging part of the exercise, since it
required them to use some advanced techniques to find the rootkit,"
Adams says. And rooting it out helped boost the West Point team to the
top of the pile when, in the aftermath of the exercise, the referees
rated all the universities' network defenses.

For the second year in a row, the Army placed first over the Navy, Air
Force, Coast Guard and others, winning geek bragging rights and the
privilege of holding onto a gaudy, 60-pound brass trophy festooned with
bald eagles and American flags. Adams credits the team.s thorough
preparation and their excellent teamwork despite the round-the-clock
schedule.

At the network control room on the second floor of West Point.s
200-year-old engineering building (which once was an indoor horse corral
and still smells like it in some remote corners, according to one
instructor), the IT team set up cots and, just for the hell of it,
camouflaged netting. They worked in shifts, with one team member always
monitoring incoming and outgoing traffic. He or she would alert other
cadets -- "router guys" -- to block any suspicious addresses. Meanwhile,
off-shift cadets would make food and coffee runs to keep everyone fueled
up and alert. Together, the team was "faster than anyone else," Adams
says.

But the way the cadets designed their network was a big factor in their
victory, too. The NSA dictated some terms: All networks had to be
capable of e-mail, chat and other services and had to be up and running
at all times despite any attacks or defensive measures. Beyond that, the
teams were free to come up with their own designs.

West Point's took three weeks to build. The cadets settled on a fairly
standard Linux and FreeBSD-based network with advanced routing
techniques for steering incoming traffic in directions of the IT team's
choosing.

The choices in software tools for responding to any attack really boiled
down to "automatic" versus "custom," says Eric Dean, a civilian
programmer and instructor. He adds that while automatic tools that do
most of their own work are certainly easier, custom tools that allow
more manual tweaking are more effective. "I expect one of the 'lessons
learned' will be the use of custom tools instead of automatics."

Even with a solid network design and passable software choices, there
was an element of intuitiveness required to defend against the NSA,
especially once it became clear the agency was using minor, and perhaps
somewhat obvious, attacks to screen for sneakier, more serious ones.

"One of the challenges was when they see a scan, deciding if this is it,
or if it.s a cover," says Dean. Spotting "cover" attacks meant thinking
like the NSA -- something Dean says the cadets did quite well. "I was
surprised at their creativity."

Legal limitations were a surprising obstacle to a realistic exercise.
Ideally, the teams would be allowed to attack other schools' networks
while also defending their own. But only the NSA, with its arsenal of
waivers, loopholes, special authorizations (and heaven knows what else)
is allowed to take down a U.S. network.

And despite the relative sophistication of the NSA's assaults, the
agency told Wired.com that it had tailored its attacks to be just "a
little too hard for the strongest undergraduate team to deal with, so
that we could distinguish the strongest teams from the weaker ones."

In other words, grasshopper, nice work -- but the NSA is capable of much
craftier network take-downs.


_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com

]]> Mon, 12 May 2008 03:23:52 -0500 (CDT) InfoSec News http://lists.jammed.com/ISN/2008/05/0058.html http://www.fcw.com/online/news/152496-1.html

By Michael Hardy
FCW.com
May 12, 2008

An encryption software company on the governmentwide Data-At-Rest
blanket purchase agreement is being accused of using a misleading matrix
in its marketing. The matrix implied that government officials had found
its product was better than its competitors'. However, no agency has
conducted such an assessment.

The company, Mobile Armor, has reportedly pulled the document from its
marketing materials. But questions have been raised about whether
agencies were misled and what contracting officials should do about it.
The contracting officer for the BPA has not indicated whether the
government will take further action against Mobile Armor.

Mobile Armor is one of 10 software companies on the Data-At-Rest BPA, a
joint effort of the Defense Department's Enterprise Software Initiative
and General Services Administrations SmartBuy programs. Soon after the
June 2007 award, companies started marketing their wares, and some
prospective customers began asking Mobile Armor's competitors to explain
their low scores on the competitive matrix.

The matrix showed several encryption software products, most of which
were available through the BPA, ranked on a scale of 0 to 5 in 11
specifications. Mobile Armor's product scored the highest ratings in all
categories on the chart. The chart's source line stated that the
information came from data the companies submitted to the Data At Rest
Tiger Team (DARTT), DOD and GSA. But competitors say they submitted no
information that could have been distilled into such numerical rankings.

Mobile Armor officials declined to comment for this story. However, they
told the BPA contracting officer that a consultant, who no longer works
for the company, created the matrix without the knowledge or approval of
company executives, sources said.

The case comes to light as contractors increasingly are under scrutiny
for ethical lapses. The Environmental Protection Agency abruptly
suspended IBM from all federal contracting for a week in early April
after reports surfaced that company employees obtained protected source
selection information from an EPA employee and used it in contract
negotiations.

The matrix has apparently circulated beyond the circle of government
customers for whom it was originally intended. Pete Morrison, vice
president of sales for Credant's North America operations, said a
commercial customer first brought the matrix to his attention.

"The key features as well as the rankings were a total fabrication,"
Morrison said. "This was not part of the process that the DARTT folks
went through when they awarded the contracts."

The companies vying for a place on the BPA answered a 103-question
questionnaire to establish that they met the minimum requirements for
inclusion, Morrison said. Because it was a BPA, the government made no
effort to sort out the better companies from weaker ones, he said. "If
you met the requirements, you got a contract. Nowhere was there any kind
of scoring or anything like this."

Companies submitted nothing that correlates to numerical scores, agreed
Joseph Belsanti, director of marketing at WinMagic, another of the
competing companies.

Maurice Griffin, the contracting officer overseeing the BPA, declined to
comment in detail. In a brief written statement, he said, "The matrix in
question was not a government document nor did the government direct,
require or provide input to development of the document." The evaluation
materials would be protected as source selection documents, he added.

Observers and competitors now wonder if Mobile Armor's agreement to stop
using the matrix will end the matter.

"Just pulling it down is a little weak," said Andy Solterbeck, chief
technology officer in the commercial security division of SafeNet,
another company on the BPA. "I think more of an active retraction would
be in order."

Solterbeck, like other competitors, said it would be difficult to know
whether his company lost any sales as a result of Mobile Armor's
marketing activities. His chief objection was that the matrix implied
that the data came from an official government source.

If the competitive matrix had been presented as anything other than a
government document, no one would have cared because it would have been
easy to refute, he added.

Belsanti said he doubted WinMagic had lost any sales because of the
matrix. "Our customer base within the federal government is a fairly
loyal one and a fairly educated one," he said. "I have not heard of this
document being detrimental to this success."

Nevertheless, security is primarily about trusting trustworthy people
and partners, Belsanti said. "The [fear, uncertainty and doubt] being
produced by some organizations in the marketplace isn't doing the market
any favors," he said. "If I was a customer in the marketplace, I would
think about who I put my trust in."

GSA officials declined to comment.


_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com

]]> Tue, 13 May 2008 03:27:10 -0500 (CDT) InfoSec News http://lists.jammed.com/ISN/2008/05/0044.html http://www.silicon.com/publicsector/0,3800010403,39214543,00.htm

By Nick Heath
Silicon.com
8 May 2008

The Ministry of Defence (MoD) is to protect 20,000 laptops using
encryption software.

Machines used by the army, navy and RAF will be given password-protected
encryption using BeCrypt Disk Protect Baseline solution.

Disk Protect Baseline allows a hard disk to be encrypted and protected
by a single encryption key but each user has a unique password and
token.

A spokesman for the MoD said: "There was a feeling there was a need for
stringent security standards and the reason we chose BeCrypt was its
ability to deliver full hard drive encryption quickly."

The package will be used to protect data which has a Restricted
classification or less, and will now be deployed on laptops not
connected to the Defence Information Infrastructure. The MoD has already
been using BeCrypt's Disk Protect Baseline system to protect Defence
Information Infrastructure laptops since 2006.

The MoD has previously admitted several embarrassing data losses
including mislaying 11,000 ID cards and losing more than 600,000
servicemen's details.


_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com

]]> Fri, 9 May 2008 07:49:34 -0500 (CDT) InfoSec News http://lists.jammed.com/ISN/2008/05/0053.html http://www.topnews.in/classified-hong-kong-watch-list-leaked-internet-240641

By Sahil Nagpal
TopNews.in
May 9th, 2008

Hong Kong - A government investigation was underway Friday after it was
revealed that confidential files from the Immigration Department had
been mistakenly leaked on to the internet.

The list, which contained a list of the names of people for officers to
watch, plus travel document information and travel records, has been
available on the internet since Monday through a file-sharing programme
called "Foxy."

The blunder occurred after a newly-recruited immigration officer working
at the Lok Ma Chau border point took home some old classified files to
study without authorisation.

His computer contained the "Foxy" programme and when he connected to the
internet, the files were distributed without his knowledge.

The security blunder is the latest in a series in Hong Kong in the last
week.

Earlier this week, banking giant HSBC was forced to apologise to
customers after it admitted it had lost the data of 159,000 accounts
from a Hong Kong branch.

The data was held on a internet server which is understood to have gong
missing in April from the Kwun Tong branch of the bank while it was
undergoing renovation last month.

The Hospital Authority also admitted this week to the loss of data of
thousands of patients in several incidents.

In one case, a USB flashdrive containing the files of 10,000 patients
from the Prince of Wales Hospital was lost after a hospital worker who
was transferring the data left it in a taxi.

Lawmaker James To, the vice-chairman of the Legislative Council security
panel said the immigration department security breach was by far the
most serious of all three.

"This data is more private, it gives the detailed record of people's
travelling history," he said.

Chairman of the security panel Lau Kong-wah said the leak was
unforgivable.

"The data is sensitive information. Not only the Immigration Department,
but all government organisations should review their data-privacy
systems to prevent similar cases," he said.

Security Secretary Abromse Lee has said the officer concerned would face
disciplinary action after an investigation. (dpa)


_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com

]]> Mon, 12 May 2008 03:24:44 -0500 (CDT) InfoSec News http://lists.jammed.com/ISN/2008/05/0045.html http://www.wbbm780.com/Hacker-Defended/2150588

WBBM780.com
08 May 2008

Some students and parents at Winnetka's New Trier High School are
rallying to the defense of a senior who's now charged criminally for
hacking into the school's computerized records.

WBBM's Bob Roberts and Regine Schlesinger report critics believe the
school has gone too far in punishing him.

18-year-old Jonah Greenthal of Glencoe already had been suspended and
barred from the prom and graduation after he hacked the school's records
in February to find out his class ranking.

Now he's facing a misdemeanor charge of computer tampering. Greenthal
was back at school Thursday - but only briefly so he could take his
advanced placement exams for college.

Friends and other seniors said Greenthal is taking his three-month
suspension, the decision by school officials to bar him from prom and
graduation ceremonies, and his arrest this week “hard,” and said they
are upset with the administration's stand.

“That's extreme. It's ruining his life,” said fellow New Trier senior
Christina Warner as she waited for a bus after taking placement exams
Thursday.

“I think it's over the top,” said fellow senior Noah Wasserman, who said
Greenthal continues to tutor students off-campus in classes to which he
was assigned before his suspension as a teacher's aide - even preparing
them study guides.

“That's taking it too far,” said senior Mona Kelkar, who said New Trier
administrators should have put the episode behind them and allowed
Greenthal back into his classes weeks ago.

Winnetka Police Deputy Chief Patrick Kreis said Thursday that there is
no indication that anyone else was involved in the hacking, and said he
could not recall a similar incident at New Trier, “at least nothing in
recent history.”

But senior Abby Needles said Greenthal is not the first and probably
won't be the last student to hack the computer to find his class
ranking, a statistic New Trier keeps but for years has refused to
divulge, even to the students themselves.

She said Greenthal is driven to succeed, and said pressure to perform is
an everyday fact of life at the school, informally called “the Harvard
of high schools” for decades.

“At New Trier there's a lot of pressure to be the best, do the best, get
the best grades,” Needles said.

“So a lot of students look for people who may know what the class ranks
are just because they're curious, just because they want to be on top.”

Wasserman said Greenthal continues to be driven to help fellow students
despite his suspension.

“He's creating review packets,” he said. “I think he's an asset to the
school and by keeping him from the school, it's actually a detriment.”

New Trier spokesperson Laura Blair said the decision to allow Greenthal
to take his AP exams did not indicate a change in the suspension or
handling of the case, which she called “unfortunate for the student and
the family.”

Kreis indicated that New Trier staff contacted them on Feb. 22,
requesting the investigation. Staff allegedly caught Greenthal logged
into the school computer on his laptop while on campus.

Students have made T-shirts and wristbands to show support for
Greenthal, who is free on $1,000 bond on a misdemeanor charge of
computer tampering, a charge that could draw a jail term of up to one
year and a $1,000 fine if he is convicted.

Greenthal's next court appearance is at 10:30 a.m. June 5, in Room 102
of the Skokie Courthouse.



_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com

]]> Fri, 9 May 2008 07:49:47 -0500 (CDT) InfoSec News http://lists.jammed.com/ISN/2008/05/0054.html http://www.techworld.com/security/news/index.cfm?newsID=101473

By Robert McMillan
IDG News Service
13 May 2008

An anonymous hacker has posted personal data about 6 million Chilean
residents on the Internet, highlighting wider privacy problems in the
country.

The data was posted early Saturday morning on Fayerwayer.com, a popular
Chilean technology blog.

The hacker, who calls himself "Anonymous Coward," posted three
compressed files of data that included names, addresses, telephone
numbers and taxpayer identification numbers for Chilean residents, said
Leo Prieto, Fayerwayer.com's director.

A site editor spotted the data, posted in Fayerwayer's comments section,
at 2 a.m. local time on Saturday. He immediately removed the files and
contacted Chilean police, who responded two hours later, Prieto said.

But over the following days the files started popping up on other sites
including Google's Blogger, Prieto said. "There's never been anything
like this," he said. "People are alarmed."

In a note accompanying the files, Anonymous Coward said he posted the
databases to draw attention to the poor data protection measures in the
country of 16 million people.

The files include tips on what to do with the data and how best to
access it.

"If you're going to extract data from a server, it's recommended to make
a script that doesn't connect directly to the server, but rather via
[anonymous proxies]," the hacker wrote.

Anonymous Coward also claimed that the files include information on the
daughter of Chilean president Michelle Bachelet. "Bachelet's daughter
has a school pass, although it's not given to many people because their
parents have earnings above a certain threshold," he wrote.

The data breach has been front page news in Chile, where it was first
reported Sunday by the newspaper El Mercurio.

The publicity has focused the country's attention on both government IT
security and also the country's lax privacy laws. For example, Chile's
department of elections sells voter data including gender, name,
address, nationality, date of birth, and information on disabilities.

Voter registration information is also sold in the U.S., but it can be
used only for political purposes. In Chile there is apparently no such
restriction.

Before his site became the center of this public firestorm, Prieto said
he had no idea that his data could be sold. "There's no such thing as
private information in Chile," he said.


_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com

]]> Tue, 13 May 2008 03:25:18 -0500 (CDT) InfoSec News http://lists.jammed.com/ISN/2008/05/0040.html http://www.news.com/8301-10784_3-9939862-7.html

By Elinor Mills
News Blog
News.com
May 8, 2008

You think your personal information is priceless. But everything has a
price, even your stolen bank account information.

McAfee Avert Labs has discovered a price list that criminals use to buy
and sell credit card numbers, bank account log-ins, and other consumer
data that have been filched from unsuspecting Web surfers.

"Last Friday morning in France, my investigations lead me to visit a
site proposing top-quality data for a higher price than usual," writes
Francois Paget of McAfee. "But when we look at this data we understand
that as everywhere, you have to pay for quality."

For example, a Washington Mutual Bank account in the U.S. with an
available balance of $14,400 is priced at 600 euros ($924), while a
Citibank UK account with an available balance of 10,044 pounds is priced
at 850 euros ($1,310).

There's even a guarantee that if the buyer is unable to log into the
account within 24 hours, maybe because the owner of the data canceled
the account, the buyer can get a replacement stolen account to use.

Criminals can even buy skimmers, fake face-plates for ATM machines that
steal credit card data when the card is swiped, and so-called "dump
tracks" used to create fake credit cards, the McAfee blog entry says.

This follows on news earlier this week from Web security company Finjan
of the discovery of a server containing stolen consumer and business
data. Finjan said it found a server controlled by hackers that had more
than 1.4 gigabytes of data--more than 5,000 log files--stolen from
infected PCs. The stolen data included consumer and business e-mails, as
well as health care patient data and bank customer data from
individuals, financial institutions, law enforcement agencies, and other
companies around the world.


_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com

]]> Fri, 9 May 2008 07:48:43 -0500 (CDT) InfoSec News http://lists.jammed.com/ISN/2008/05/0046.html http://news.bbc.co.uk/1/hi/world/americas/7395295.stm

BBC News
bbc.co.uk
12 May 2008

A computer hacker in Chile has published confidential records belonging
to six million people on the internet, officials say.

The information was obtained by hacking into government and military
servers, and was posted on a technology blog.

It included ID card numbers, addresses, telephone numbers and academic
records.

The hacker left a message saying the aim was to demonstrate the poor
level of data protection in Chile, says the newspaper which uncovered
the story.

El Mercurio newspaper reports that the data came from computer servers
at the education ministry, the military and the electoral service.

It was posted on the forum of a Chilean blog dedicated to technology
issues, but was quickly removed by site's administrators, who contacted
the police.

Links to files containing the information were also posted on another
Chilean website, and again promptly removed, El Mercurio reports.

Police commissioner Jaime Jara told the newspaper that an investigation
into the incident was under way.


_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com

]]> Mon, 12 May 2008 03:22:35 -0500 (CDT) InfoSec News http://lists.jammed.com/ISN/2008/05/0055.html http://www.computing.co.uk/computing/news/2216373/students-educated-security

By Tom Young
Computing
12 May 2008

IT students are not being educated on how to "bake in" security when
designing and developing new software applications, according to
research.

The study for the Cyber Security Knowledge Transfer Network (KTN) found
that just one in five UK computing undergraduates get no more than five
hours education on software security - and many get none at all.

Insecure software applications have a knock-on effect on end users by
making their systems vulnerable, according to Bill Whyte, who carried
out the research.

"Today's computing market is a complex value chain of software
activities and is as vulnerable as its weakest link," he said.

Despite the current political clamour on the importance of information
security, this key issue is not being addressed, said Nigel Jones, head
of the KTN.

"The bottom line is that if we want to solve the problems we need to
start by fixing the root cause," he said.

A recent BERR and PricewaterhouseCoopers report on UK information
security breaches did not contain a single reference to secure software
development.


_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com

]]> Tue, 13 May 2008 03:25:39 -0500 (CDT) InfoSec News http://lists.jammed.com/ISN/2008/05/0041.html http://www.nytimes.com/2008/05/09/technology/09cisco.html

By JOHN MARKOFF
The New York Times
May 9, 2008

SAN FRANCISCO — Counterfeit products are a routine threat for the
electronics industry. However, the more sinister specter of an
electronic Trojan horse, lurking in the circuitry of a computer or a
network router and allowing attackers clandestine access or control, was
raised again recently by the F.B.I. and the Pentagon.

The new law enforcement and national security concerns were prompted by
Operation Cisco Raider, which has led to 15 criminal cases involving
counterfeit products bought in part by military agencies, military
contractors and electric power companies in the United States. Over the
two-year operation, 36 search warrants have been executed, resulting in
the discovery of 3,500 counterfeit Cisco network components with an
estimated retail value of more than $3.5 million, the F.B.I. said in a
statement.

The F.B.I. is still not certain whether the ring’s actions were for
profit or part of a state-sponsored intelligence effort. The potential
threat, according to the F.B.I. agents who gave a briefing at the Office
of Management and Budget on Jan. 11, includes the remote jamming of
supposedly secure computer networks and gaining access to supposedly
highly secure systems. Contents of the briefing were contained in a
PowerPoint presentation leaked to a Web site, Above Top Secret.

A Cisco spokesman said that the company had investigated the counterfeit
gear seized by law enforcement agencies and had not found any secret
back door.

“We did not find any evidence of re-engineering in the manner that was
described in the F.B.I. presentation,” said John Noh, a Cisco spokesman.
He added that the company believed the counterfeiters were interested in
copying high volume products to make a quick profit. “We know what these
counterfeiters are about.”

An F.B.I. spokeswoman, Catherine L. Milhoan, said the agency was not
suggesting that the Chinese government was involved in the
counterfeiting ring. “We worked very closely with the Chinese
government,” she said. Arrests have been made in China as part of the
investigation, she said. “The existence of this document shows that the
cyber division of the F.B.I. has growing concerns about the production
and distribution of counterfeit network hardware.”

Despite Cisco’s reassurance, a number of industry executives and
technologists said that the threat of secretly added circuitry intended
to subvert computer and network gear is real.

[...]



_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com

]]> Fri, 9 May 2008 07:49:01 -0500 (CDT) InfoSec News http://lists.jammed.com/ISN/2008/05/0050.html http://www.computing.co.uk/computing/news/2216315/dwp-sending-sensitive-passwords

By Tom Young
Computing
09 May 2008

Government staff in the Department of Work and Pensions (DWP) have been
sending out sensitive data in packages containing passwords that provide
access to the information.

An internal email to DWP staff outlining the poor security practices was
leaked to influential political blog Dizzy Thinks.

"Staff are... forwarding the data and password on together, which
defeats the purpose of the security measure entirely," the email reads.

After HM Revenue and Customs lost the details of 25 million families
last year, civil servants were told all information sent between
departments had to be password protected with passwords sent separately.

"We have carried out a major review of procedures around the transfer of
data to ensure the security of customer information. We expect all
managers to monitor the application of our security controls and ensure
that the correct action is taken in all cases," said a spokesman for the
DWP.


_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com

]]> Mon, 12 May 2008 03:24:08 -0500 (CDT) InfoSec News http://lists.jammed.com/ISN/2008/05/0038.html Forwarded from: Radu Sion <sion