HNS Newsletter Issue 96 - 21.01.2002 http://net-security.org http://security-db.com This is a newsletter delivered to you by Help Net Security. It covers weekly roundups of security events that were in the news the past week. Visit Help Net Security for the latest security news - http://www.net-security.org. Subscribe to this weekly digest on: http://www.net-security.org/text/newsletter Archive of the newsletter in TXT and PDF format is available here: http://www.net-security.org/news/archive/newsletter Table of contents: 1) General security news 2) Security issues 3) Security world 4) Featured products 5) Featured article ======================================================== Sponsored by GFI, the developers of a revolutionary new intrusion detection product - LANguard Security Event Log Monitor. Download your copy! http://www.net-security.org/cgi-bin/ads/ads.pl?banner=gfitxt ======================================================== General security news --------------------- ---------------------------------------------------------------------------- MINISTRY OF DEFENCE LOSES LAPTOPS 594 laptops have been misplaced or stolen from Britain's Ministry of Defence over the last five years, the government has admitted. A total of 1,354 government-owned computers have gone walkabout over the same period. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.theregister.co.uk/content/55/23664.html SECURITY VS. PRIVACY State motor-vehicle offices will propose that drivers' licenses incorporate biometrics. Is that the same as a national ID card? Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.informationweek.com/story/IWK20020111S0048 SECURITY DELVES DEEPER Security systems are spreading roots deeper into network processes, leveraging directory and policy control to halt a growing breed of internal computer threats. Novell, NetIQ, and NetScreen Technologies are weighing in with products that integrate with these internal assets. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.infoworld.com/articles/hn/xml/02/01/14/020114hnsecurity.xml FIND THE COST OF (VIRUS) FREEDOM Virus and worm attacks were at an all-time high in 2001, costing corporations billions of dollars, according to the news reports that followed each release of malicious code. But many industry experts wonder how the company arrives at these seemingly exorbitant figures. Some antivirus firms and industry watchdogs said that Computer Economics is less than forthcoming about the specific data, sources and processes that it uses to tabulate the economic impact of viruses. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.wired.com/news/business/0,1367,49681,00.html MICROSOFT: .NET VIRUS .NOT W32.Donut isn't a true .Net virus, the software company says, defending the reputation of its online strategy. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://news.zdnet.co.uk/story/0,,t269-s2102449,00.html ROUTERS UNDER ATTACK CERT warns that attackers are now turning their attention to routers, focusing on vulnerabilities that let them intercept passwords and credit card numbers, redirect traffic to other sites or fake addresses—and perhaps halt Internet traffic altogether. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.techweb.com/tech/security/20020114_security THE PASSWORD IS ... CONFUSION Several companies are devising secure alternatives to the time-wasting method of having a different password for every site, but storing passwords and personal information in one central place raises other concerns. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.ecommercetimes.com/perl/story/15766.html POLITICAL HACKERS ON THE INCREASE IN BRITAIN The number of defacements affecting UK government Web sites increased nearly fourfold in the UK last year. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://news.zdnet.co.uk/story/0,,t269-s2102501,00.html THE PERFECT FORENSICS CANDIDATE Exodus Communications Inc. has a team of 22 incident response analysts, and it can always use a few more people with expertise in the field to support internal and client investigations. But Charles Neal, incident response director at firm, is picky. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.computerworld.com/itresources/rcstory/0,4167,STO67228_KEY73,00.html WORM POSES AS OUTLOOK UPDATE The "Gigger" worm masquerading as a software update from Microsoft is capable of deleting all files on the hard drive of an infected computer. The worm is a low threat since so few computers have been infected. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.wired.com/news/technology/0,1282,49726,00.html CRYPTOGRAPHIC ABUNDANCE One knee-jerk reaction in the aftermath of the September 11 attacks was to call for a ban on the use of cryptography. Even if this were desirable, it would be difficult to achieve - as there are now thousands of competent cryptographers in more than 50 nations. The genie of cryptographic knowledge is out of its chamber. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.techreview.com/articles/insight0102.asp EXPLOIT CIRCULATING FOR SOLARIS HOLE The CERT/CC has received credible reports of scanning and exploitation of Solaris systems running the CDE Subprocess Control Service buffer overflow vulnerability. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.cert.org/advisories/CA-2002-01.html BACKING UP ORACLE'S 'UNBREAKABLE' VOW It's up to new Chief Security Officer Mary Ann Davidson to make the software giant's extremely risky claim stick. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.securityfocus.com/news/308 "HI-TECH HATE" BUSTED BY THE ITALIAN POLICE Six members have been charged with attacking thousands of Web sites in 62 countries, replacing official home pages with anti-globalization slogans. In the US, defaced sites included those of the Pentagon, the U.S. National Aeronautics and Space Administration, courts, and numerous universities including Harvard University, Columbia University, and Cornell University. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.pcworld.com/news/article/0,aid,79686,00.asp F-SECURE FIXES SCANNER GLITCH F-Secure has discovered a bug that can cause system crashes on Windows machines loaded with its antivirus software. In real life, the flaw is very rare - only three customer sightings in a year. Today the company has issued a fix. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.theregister.co.uk/content/55/23689.html BREAKABLE A U.K. security expert is preparing to unveil a trove of serious vulnerabilities in Oracle's database products. Can the company redefine 'unbreakable' in time? Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.securityfocus.com/news/309 WINDOWS MEDIA PLAYER MUST BE PATCHED TO FIX IE A trivial scrap of malicious JavaScript can defeat entirely the Platform for Privacy Preferences (P3P) 'protections' Microsoft has integrated into Internet Explorer 6, all because of a dodgy 'feature' in Windows Media Player (WMP). Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.theregister.co.uk/content/55/23700.html MANAGING IMAP: CYRUS SYSTEM ADMINISTRATION In this excerpt from Managing IMAP, the authors provide practical examples for Cyrus IMAP server administration. Topics include common tasks, disaster recovery, and troubleshooting. Link: http://www.unixreview.com/documents/s=1820/uni1011125506795/0201h.htm .NET PROBLEMS PLAGUE MICROSOFT After a five-day outage, Microsoft fixed a technician's error Tuesday, allowing Windows users to once again access critical operating system updates on the company's Web site. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdnet.com/zdnn/stories/news/0,4586,5101795,00.html ATTENTION SHOPPERS: YOU MAY BE STUDIED Brick-and-mortar shoppers already monitored for security reasons will be studied anonymously for their shopping habits through a software platform that aims to help retailers improve customer service. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.cnn.com/2002/TECH/internet/01/15/shopping.studies.idg/index.html ADOBE CHIEF THREATENS TO ABANDON ASIA OVER PIRACY Adobe Systems Inc last week threatened to stop supporting Chinese language versions of its software because of persistent pirating of its products in China and other Asian markets. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.theregister.co.uk/content/4/23661.html NOVELL SECURES LUFTHANSA'S NETWORK Lufthansa has appointed Novell to provide secure network and directory services for its 70,000 employees. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.nwfusion.com/news/2002/0116lufthansa.html GATES: SECURITY A TOP PRIORITY In an e-mail sent to employees and leaked (?) to the Associated Press, Gates said that the company intends to shift from a focus on features to spotlighting security and privacy. Haven't we already heard that story numerous times? Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://news.cnet.com/news/0-1003-200-8509737.html SOFTWARE SECURITY LAW CALL An influential body of researchers is calling on the US Government to draft laws that would punish software firms that do not do enough to make their products secure. That's probably why an e-mail by Gates, regarding security "leaked" to the press, as described in the news item below. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://news.bbc.co.uk/hi/english/sci/tech/newsid_1762000/1762261.stm USING SSH PORT FORWARDING TO PRINT AT REMOTE LOCATIONS Rory Krause shows you how to connect the printing systems on different networks across the Internet in a secure manner. Link: http://www.linuxjournal.com/article.php?sid=5462 FILTERING SPAM WITH PROCMAIL Unwanted e-mail sent by advertisers is annoying and sometimes offensive. Dru Lavigne explains how to add a spam filter to procmail to keep this e-mail out of your inbox. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.oreillynet.com/pub/a/bsd/2002/01/10/FreeBSD_Basics.html NETWORK ASSOCIATES BEATS ESTIMATES Network Associates reported pro forma fourth-quarter earnings of $0.23 per share, or $40.5 million, a sharp improvement over the year-ago quarter's loss of $0.87 per share. This was the security giant's second consecutive profitable quarter. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.eweek.com/article/0,3658,s%253D701%2526a%253D21383,00.asp CAN YOU SU? Sandra Henry-Stocker writes: "I was checking on the status of one of my servers when I noticed that my "su" command seemed to be hanging. I'd type "su -" in my terminal window, enter root's password, and wait. I couldn't control-C or control-Z my way out of the frozen window. Logging in from another terminal window, I killed the process and began to think about what might possibly be causing this odd behavior." Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.itworld.com/nl/unix_sys_adm/01092002 SYGATE BEEFS UP PERSONAL FIREWALL PRO Sygate Technologies announced the release of its latest Personal Firewall Pro, which adds intrusion detection and protection from recently discovered personal-firewall vulnerabilities to the product. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.pcworld.com/news/article/0,aid,80404,00.asp A GUIDE TO BETTER PASSWORD PRACTICES While we may find them annoying, and even take them for granted, it is important to remember why passwords are important: passwords are the foundation of authentication, which is often the first line of security. This article will provide a brief overview of how to create and maintain strong, effective passwords. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.securityfocus.com/infocus/1537 FBI: AL QAEDA MAY HAVE PROBED GOVERNMENT SITES The FBI issued an alert to law enforcement agencies across the nation warning officials of uncorroborated information that al Qaeda agents may have been probing Web sites, including some dealing with nuclear information. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.cnn.com/2002/TECH/internet/01/17/fbi.alert/index.html YIHAT FOUNDER KIMBLE/SCHMITZ ARRESTED Thai police arrested Schmitz in Bangkok, acting on a German warrant charging him with securities fraud. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.theregister.co.uk/content/55/23745.html ---------------------------------------------------------------------------- ======================================================== HNS Security Database ======================================================== HNS Security Database consists of a large database of security related companies, their products, professional services and solutions. HNS Security Database will provide a valuable asset to anyone interested in implementing security measures and systems to their companies' networks. Visit us at http://www.security-db.com ======================================================== Security issues --------------- All vulnerabilities are located at: http://net-security.org/text/bugs ---------------------------------------------------------------------------- SECURITY WEAKNESSES OF VTUN The following text describes security flaws in vtund. It includes a description of the security based on the source and lists the possible attacks. An attacker can modify packets, replay them, learn pattern of the plain text or easily guess low-entropy password. Link: http://www.net-security.org/text/bugs/1011019036,94743,.shtml HANDSPRING VISOR DENIAL OF SERVICE The handspring Visor seems to have problems dealing with an nmap scan. Link: http://www.net-security.org/text/bugs/1011019091,38000,.shtml SLASHCODE LOGIN VULUNERABILITY Slash, the code that runs Slashdot and many other web sites, has a vulnerability in recent versions that allows any logged-in user to log in as any other user. Link: http://www.net-security.org/text/bugs/1011019139,17257,.shtml CALDERA OPENSERVER WU-FTPD FTPGLOB() VULNERABILITY A vulnerability in the wu-ftpd ftpglob() function was found by the CORE ST team. This vulnerability can be exploited to obtain root access on the ftp server. Link: http://www.net-security.org/text/bugs/1011019467,29792,.shtml IE CLIPBOARD STEALING VULNERABILITY Since Internet Explorer 5.0, there has been a way to read and set the users clipboard text from script, by default, and with no prompting. This can be handy for web-based applications to do so, but can be used in a malicious way to steal the clipboard contents. Link: http://www.net-security.org/text/bugs/1011099532,92823,.shtml INTERNET EXPLORER POP-UP OBJECT TAG BUG Under initial testing scripting was not possible in the popup object, nor could I pass parameters to the executables. Regardless, there may be more dangerous examples of code being put within the popup object as it seems to do almost no internal checking at all. Link: http://www.net-security.org/text/bugs/1011099646,37878,.shtml PHP 4.X SESSION SPOOFING Since PHP4 there is a native support for sessions, which was derived from the PHPLib. But instead of using a SQL backend to store these IDs, they chose to store them as files in /tmp. Every session is stored in a file like sess_g35g5g54gg45wg85 where "g35g5g54gg45wg85" is the actual session-ID. Someone could now easily spoof these sessions, because he now knows the IDs. He would even be able to *read* the contents of these files, because PHP very oftenly runs as module (i.e. every executed PHP script inherits the user permissions of apache), thus you only have to write a PHP script which reads out these files. Link: http://www.net-security.org/text/bugs/1011099707,9919,.shtml PI3WEB WEBSERVER V2.0 BUFFER OVERFLOW VULNERABILITY The server crashes after sending very long cgi parameter a few times. Link: http://www.net-security.org/text/bugs/1011099776,13172,.shtml SIEMENS MOBIE SMS VULNERABILITY Siemens Mobie transfer SMS by PDU fromat.There is a bug in displaying exceptional character, the mobie will be shutdown, and the SMS can't be delete.So anyone can DOS the mobie's SMS by sending lot of this type SMS. Link: http://www.net-security.org/text/bugs/1011099865,17642,.shtml MSIE MAY DOWNLOAD AND RUN PROGRAMS AUTOMATICALLY The flaw allows a malicious web site to make Internet Explorer download and run programs when a user is visiting the web site or reading an HTML mail message. By exploiting it, any download and Security Warning dialogs can be circumvented. The program starts without further user interaction. Link: http://www.net-security.org/text/bugs/1011099984,96059,.shtml WEB SERVER 4D/ECOMMERCE 3.5.3 DOS VULNERABILITY The server crashes after sending very long URL a few times. Link: http://www.net-security.org/text/bugs/1011100065,16619,.shtml ZBSERVER PRO DOS VULNERABILITY The server crashes after sending very long URL a few times. Link: http://www.net-security.org/text/bugs/1011100134,47643,.shtml WWF GOES WILD FOR SOPHOS ANTI-VIRUS Sophos, a world leader in corporate anti-virus protection, announced that it has been selected by WWF - the global environment network (formerly the World Wildlife Fund) - to defend its offices around the world from computer viruses. Link: http://www.net-security.org/text/bugs/1011101274,24823,.shtml OPENFILE WIN32 API LOG OVERWRITING/REWRITING This advisory documents the use of file sharing parameters used when opening application security log files. When combined with some application's default file system permissions, their use allows a lower-privilege attacker, who is unable to stop services that have locked the files, to modify log files and obfuscate attacks. This behavior is in use by Microsoft's IIS 4 and Symantec's Norton Internet Security 2001 and preliminary testing indicates also Norton Personal Firewall 2001. Though Microsoft's IIS 5 opens its log files with the same sharing parameters, default permissions prohibit lower-privilege accounts from modifying the logs while the service is running. Link: http://www.net-security.org/text/bugs/1011190474,79512,.shtml SAMBAR WEBSERVER V5.1 DOS VULNERABILITY Sambar Webserver is bundled with a sample cgi script (testcgi.exe) which create security flaw. Server crashes after sending very long request a few times. Link: http://www.net-security.org/text/bugs/1011190691,29635,.shtml NETBSD ADVISORY: CLOSE-ON-EXEC, SUID AND PTRACE(2) A process could exec a setuid binary, while gaining ptrace control over it for a short period before the process was activated. The ptrace controller process could then modify the address space of the controlled process and abuse its elevated privileges. Link: http://www.net-security.org/text/bugs/1011265734,92753,.shtml SERIOUS SECURITY FLAW IN PHP NUKE The flaw is in the index.php's include file feature. It allows including files like index.php?file=file It prevents users including ..'s in URL's, but it didn't prevent users from entering http://-urls Remember the PHP's remote get feature... Link: http://www.net-security.org/text/bugs/1011265953,38579,.shtml AVIRT GATEWAY SUITE REMOTE SYS LEVEL VULNERABILITY Avirt Gateway Suite combines the features of the Avirt Gateway internet sharing technology with the functionality of the Avirt Mail server in one integrated package for the enterprise. Link: http://www.net-security.org/text/bugs/1011355988,98378,.shtml AVIRT PROXY BUFFER OVERFLOW VULNERABILITIES The products are vulnerable to a buffer overflow condition, which can be exploited to execute arbitrary code on the systems in question. Link: http://www.net-security.org/text/bugs/1011356059,48086,.shtml ---------------------------------------------------------------------------- Security world -------------- All press releases are located at: http://net-security.org/text/press ---------------------------------------------------------------------------- NETWORK-1 ANNOUNCES AGREEMENT WITH SBS Network-1 Security Solutions, Inc., a leading developer of next generation distributed firewalls with intrusion detection and prevention capabilities, announced that the Company has entered into an agreement with Siemens Business Services (SBS), one of the world's leading providers of e-business solutions and services. As part of the agreement, SBS will include Network-1's CyberwallPLUS family of intrusion prevention software in its "Best-of-Breed" technology solutions portfolio, and provide integration and support services for CyberwallPLUS through SBS' professional services and security practice. Press release: < http://www.net-security.org/text/press/1011030387,79695,.shtml > ---------------------------------------------------------------------------- OKENA INTRODUCES STORMWATCH 2.1 OKENA, Inc., the leading developer of intrusion prevention software, announced the enhanced version 2.1 of StormWatch. This new release of OKENA's flagship product provides a modular security policy format. The modular approach makes it easy to enable desired security features with a "point and click" interface. For example, server lockdown and IIS Web server protection can be enabled by simply checking the corresponding boxes. StormWatch 2.1 also makes the user-friendly installation process even easier and faster. StormWatch 2.1 automates the development of agent kits and the review of policies. Installation, from loading the software CD to complete enterprise-caliber intrusion prevention, now takes less than 30 minutes. Press release: < http://www.net-security.org/text/press/1011030840,4867,.shtml > ---------------------------------------------------------------------------- NETIQ DEBUTS DIRECTORY SECURITY ADMINISTRATOR NetIQ Corp., a leading provider of e-business infrastructure management and intelligence solutions, today announced the availability of the NetIQ Directory Security Administrator. Directory Security Administrator enhances the security provided in Microsoft Windows 2000 Active Directory by giving administrators a centralized interface to easily visualize, search for and modify Active Directory Access Control Lists (ACLs). Directory Security Administrator joins an upgraded suite of existing applications as part of NetIQ Administration Suite version 2.0, Standard Edition. Press release: < http://www.net-security.org/text/press/1011031043,45430,.shtml > ---------------------------------------------------------------------------- APPLICATION SECURITY RELEASES APPDETECTIV FOR ORACLE Application Security, Inc. announces the availability of AppDetective for Oracle, Version 2.0, which is an application security scanner designed to perform network-based penetration tests and vulnerability assessments. Armed with a revolutionary security methodology and an extensive knowledgebase of Oracle security vulnerabilities, AppDetective easily locates, examines, reports, and helps fix database security holes and misconfigurations with the click of a button (coming soon for Microsoft SQL Server, Sybase, Lotus Domino, and IBM DB2). Press release: < http://www.net-security.org/text/press/1011190764,44385,.shtml > ---------------------------------------------------------------------------- ICSA LABS EXPERT TO DISCUSS WIRELESS SECURITY The use of wireless devices such as cell phones, personal digital assistants (PDAs) and pagers moved well past early adopter phase and into the mainstream during 2001. Wireless communication is now a staple of mobile business professionals everywhere who enjoy the convenience and increased capabilities that these devices offer. But while new features and capabilities abound, many experts agree that the security of information stored and transmitted by wireless devices remains a serious concern for wireless product vendors and their end-user customers. Press release: < http://www.net-security.org/text/press/1011266141,33871,.shtml > ---------------------------------------------------------------------------- ======================================================== Help Net Security T-Shirt available ======================================================== Thanks to our affiliate Jinx Hackwear we are offering you the opportunity to wear a nifty HNS shirt :) The image speaks for itself so follow the link and get yourself one. Get one here: http://207.21.213.175:8000/ss?click&jinx&3af04db0 ======================================================== Featured products ------------------- The HNS Security Database is located at: http://www.security-db.com Submissions for the database can be sent to: staff@net-security.org ---------------------------------------------------------------------------- GTA CONSULTING GTA Consulting, is a security auditing service offering expert consultancy on your IT security policy, Internet security policy and acceptable use policy. 1 in 3 security breaches occur after a firewall has been installed. This is almost always down to mis-configuration during the installation process. It is advisable to have the security measures tested and audited. Read more: < http://www.security-db.com/product.php?id=500 > This is a product of Global Technology Associates Limited, for more information: < http://www.security-db.com/company.php?id=109 > ---------------------------------------------------------------------------- GUARDIAN DIGITAL LINUX LOCKBOX The Guardian Digital Linux Lockbox is the first open source network server appliance designed to serve as a complete e-business solution. Powering the Lockbox is EnGarde, Guardian Digital's Linux, engineered to achieve the level of security required to conduct e-business. Its secure Web management software provides an easy-to-use storefront configuration and system administration tool, making the Lockbox the right choice for any e-business deployment. Read more: < http://www.security-db.com/product.php?id=888 > This is a product of Guardian Digital, Inc., for more information: < http://www.security-db.com/company.php?id=217 > ---------------------------------------------------------------------------- GUARDIAN IPSEC VPN Communications and through an OEM agreement, marketed under the Guardian brand. The Guardian IPSec VPN product line, including Accelerator Card, NodeManager Software and Remote Access Client, provides high performance, high security authenticated and encrypted communications via Internet/Intranet/Extranet. Guardian IPSec enables significant savings in communications costs through replacement of dedicated leased lines while building private and secure business communication channels. Read more: < http://www.security-db.com/product.php?id=136 > This is a product of NetGuard, for more information: < http://www.security-db.com/company.php?id=24 > ---------------------------------------------------------------------------- Featured article ---------------- All articles are located at: http://www.net-security.org/text/articles Articles can be contributed to staff@net-security.org ---------------------------------------------------------------------------- COMPUTER FORENSICS: INCIDENT RESPONSE ESSENTIALS Computer forensics is an area of expertise that keeps evolving rapidly. New techniques are deployed, new technogies are used and abused. To stay in touch, you have to follow various IT trends, and constantly rebuild your knowledge, in order to succesfuly follow it. This book is sort of a starting point, you're guide to making first steps in computer forensics. And it does an excellent job at it. Read more: < http://www.net-security.org/various/bookstore/heiser > ---------------------------------------------------------------------------- Questions, contributions, comments or ideas go to: Help Net Security staff staff@net-security.org http://net-security.org http://security-db.com