HNS Newsletter Issue 57 -01.04.2001 http://net-security.org http://security-db.com This is a newsletter delivered to you by Help Net Security. It covers weekly roundups of security events that were in the news the past week. Visit Help Net Security for the latest security news - http://www.net-security.org. Subscribe to this weekly digest on: http://www.net-security.org/text/newsletter Archive of the newsletter in TXT and PDF format is available here: http://www.net-security.org/news/archive/newsletter Current subscriber count to this digest: 2139 Table of contents: 1) General security news 2) Security issues 3) Security world 4) Featured articles 5) Security software 6) Defaced archives General security news --------------------- ---------------------------------------------------------------------------- COMPANIES SEND EMPLOYEES TO 'HACKER' WORKSHOPS The best way to keep a hacker from breaking into a computer system from the outside may just be to have a hacker on the inside. That's what John Brozycki and Darien Ford's company figured when it paid $7,000 so they could learn to think like a computer interloper. "Ultimate Hacking: Hands On," a four-day course in Manhattan, gives them a legitimate opportunity to hack their way into computer systems. When they return to their regular jobs, keeping the network secure at a credit union in upstate New York, they'll be much better equipped. "You feel more confident, seeing how many of the exploits are done," Brozycki says, surrounded by fellow techies in a hotel conference room. "Once you see how they're done, you know how to prevent them." Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.nandotimes.com/technology/story/0,1643,500467285-500714392-503919024-0,00.html UNCOVERING THE SECRETS OF SE LINUX: PART 2 In an uncharacteristic move, the U.S. National Security Agency recently released a security-enhanced version of Linux - code and all - to the open source community. Part 2 of this developerWorks exclusive delves deeper into the code, dissecting how the security_av is computed and examining how other SE Linux security features are invoked. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www-106.ibm.com/developerworks/linux/library/s-selinux2/index.html FIREWALLS GO GIGABIT In an attempt to put load-balancing vendors out of business, both Cisco and CyberGuard Corp. have upped the bandwidth ante by building mind-numbing throughput and performance into new enterprise-level firewalls. Engineered to handle the new wave of high-speed links, both products rise to the task with multiple Ethernet, Fast Ethernet and Gigabit Ethernet interfaces, preventing you from using "the firewall is my bottleneck" as an excuse. Both rack-mountable firewalls come with fail-safe features and various fault-tolerance levels. While they share many of the same capabilities, they differ in ease of configuration, management and performance. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.internetweek.com/reviews01/rev032601.htm MACNN REVIEW: NORTON PERSONAL FIREWALL In an effort to boost its already strong standing in the field of Macintosh utilities, Symantec last year licensed Open Door Networks' DoorStop software firewall utility, resulting in the creation of Norton Personal Firewall. With the number of broadband Internet connections (which are typically more susceptible to hacking than dial-up connections) increasing daily, as well as the number of intrusions into networks, Symantec is positioning Norton Personal Firewall as the utility of choice for Mac users looking for increased security with their Internet connection, and in doing so is going head-to-head with Intego's already established NetBarrier. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://reviews.macnn.com/reviews/nortonpersonalfirewall/nortonpersonalfirewall.phtml LION VIRUS: HOW TO DETECT AND PREVENT William Stearns, of the Institute for Security Technology Studies, has written a script called Lionfind to detect Lion. There is no removal program as yet. As prevention, users of BIND 4.9.8 and 8.2.3 distributions should download the latest patch from ISC. Users of the BIND 9.1 distribution should download this update. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdnet.co.uk/news/2001/12/ns-21832.html 'UNIVERSAL' KEY CLAIMED TO DISABLE MS OFFICE XP SECURITY "Microsoft's vaunted Product Activation protection technology may not have been fully implemented in Office XP after all. Product keys claimed to be "universal" have been circulating on the Web for some weeks now, and a WinXP beta tester's newsgroup posting forwarded to The Register suggests that use of one of these keys circumvents the activation process. It is not at the moment possible to verify this completely. Warez copies of code claimed to Office XP "final" reportedly run without requiring activation if one of the keys is used, but those keys can't be said to be definitely universal until such time as they can be tested on production copies of Office XP sold at retail." Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.theregister.co.uk/content/4/17869.html NOT ENOUGH PROTECTION A majority (60%) of Canadians feel not enough is being done to protect Internet consumers against cyber crime, and over half (52%) feel threatened or concerned by this activity, a new poll released by EDS Canada indicates. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.newswire.ca/releases/March2001/26/c6703.html UN TO DEVISE STRATEGY FOR GLOBAL E-SECURITY Delegates from the United Nations' 189 member countries this week will meet with representatives from the U.S. high-tech industry to devise new strategies for dealing with Internet crime and global e-commerce security requirements. However, to ensure a coherent global strategy, world leaders must be better educated about the need for global security standards and the threat that cybercrime poses to the global economy, said Percy Mangoaela, the UN ambassador from Lesotho. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.computerworld.com/cwi/stories/0,1199,NAV47-68-84-88_STO58959,00.html HACKERS CLAIM DOUBLECLICK SECURITY HOLES Data-collection company DoubleClick returned to the privacy spotlight after a French Web site uncovered evidence indicating several of the company's servers had security holes and may have been breached. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://news.cnet.com/news/0-1003-200-5252461.html PRIVACY GROUP CRITICIZES TIVO FOR COLLECTING INFO The leading TV recording service has collected information about viewers - programs watched or recorded, remote control buttons pushed - without adequately informing them, a research group says. The Privacy Foundation was warning about the practice in a report Monday on the personalized TV system, which makes it easier for consumers to record and watch their favorite programs. Analysts expect 14 million people to be using such video recorders by 2004. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.cnn.com/2001/TECH/industry/03/26/tv.privacy.ap/index.html HACKER NATION Computer intrusions have more than tripled in the last two years. Who are the people trying to get their hands on your data, and why? We got answers from some experts - including hackers themselves. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.pcworld.com/features/article/0,aid,44544,00.asp LESSONS IN LAPTOP SECURITY The laptop is not only a teleworker's power tool. It's a thief magnet. Securing confidential or proprietary data when you're on the road or you work beyond the enterprise is a pressing issue. Think this is someone else's problem? Think again. In the U.S. in 1999, 319,000 notebook computers and 27,000 desktop computers valued at close to $1 billion were stolen, according to Safeware, the Columbus, Ohio computer insurance agency. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.nwfusion.com/net.worker/columnists/2001/0326zbar.html HACKING DANGER GROWS IN AUSTRALIA Australia has experienced an increase in hacker attacks, with 22 web page defacements this year alone (?), according to Ernst & Young eRisk Solutions principal Eric Keser. Link: http://finance.news.com.au/common/story_page/0,4057,1838561%255E462,00.html ANTIGEN FOR LOTUS NOTES Antigen is the anti-virus solution specifically designed to meet the security needs of Lotus Notes users. It detects and removes viruses, including Notes based viruses-before they reach mission-critical applications, and without compromising the integrity of your groupware servers. Link: http://www.security-db.com/product.php?id=46&cid=10 HOW TO AVOID GIVING FREE INFORMATION TO ATTACKERS This paper by Richard Bartley of Xinetica Ltd. explores techniques for the exploitation of corporate information that attackers may use to attack an organization. It focuses on what strategies an organization can implement to minimize the unnecessary disclosure of potentially dangerous information. Link: http://www.securityfocus.com/templates/forum_message.html?forum=2&head=5144&id=5144 COMPARISON OF CLIENT METHODS TO BLOCK SPAM "How do people deal with spam? While there are methods to address UCE at the server, legal, and mail client levels, the individual has only one way to deal with spam: through their mail client software. In this article, I will introduce various means of combatting junk email." Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.unixreview.com/administration/articles/0103wa.shtml SAMBA NT DOMAIN CONTROLLER Currently, Samba can go beyond merely emulating Windows shares to actually acting as the Primary Domain Controller for your Windows network. Of course, Samba can also become a NT domain member. In this article we shall look at both these options. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.freeos.com/articles/3842/ ENCRYPTING AN ACCESS DATABASE You might feel discouraged and ask yourself, "Why bother with security?" Do not despair! Fortunately, Access enables you to encrypt a database. The encryption process renders the data in the database indecipherable from data in word processors, disk utilities, and other products capable of reading text. When a database is encrypted, no one can decipher any of its data. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://softwaredev.earthweb.com/devtools/article/0,,12061_724731,00.html REMOTE USERS NEED FIREWALLS TOO Last December, a bank in Southern California received a call from an online customer asking why one of the bank's computers was trying to hack into his system. It turned out that the machine doing the hacking belonged to the bank's president and had been remotely commandeered by an employee. The president called Conqwest Inc., an IT security services firm, which is now rolling out firewall software across the bank's 125 internal desktop, laptop and remote computers. Until recently, companies thought antivirus and VPN technologies would keep remote worker connections safe. But as more workers have been accessing the Internet through broadband services such as cable modems, exposure to hacking attacks through those machines has increased. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.itworld.com/Sec/2211/CWD010326firewalls/ EMAIL FILTERING: THE REAL DEAL "Email is probably my favorite Internet related service. It's also the one that causes me the most problems, with regard to security. People cannot live without email anymore. Email is probably the most convenient form of communication for most of us. It's an easy way to figure out whether the person you want to phone in Australia is awake or not. Email also allows us to easily send files, from simple text documents to spreadsheets - images to video clips. There are extremely few companies and organizations in the world that have an Internet connection but do not use email. Because of this, most Internet spam is now delivered by email, and more importantly, most viruses are now spread via email." Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://securityportal.com/closet/closet20010328.html A VIRUS THAT LEAPS PLATFORMS A security company has identified what is believed to be the first virus with cross-platform abilities - it can infect both Windows and Linux operating systems. W32.Winux is not affecting many computers, nor is it apt to spread quickly, as people do not tend to share executable programs between machines running Linux operating systems and machines running Windows operating systems. Also called "Linux.Winux," W32.Winux is a non memory resident virus. It can replicate under Windows 95/98/Me/NT/2000 and Linux operating systems and it infects EXE (Windows executable) and ELF files (Linux executable). The infection method is not sophisticated. The virus overwrites the ". reloc" section of Windows executable files. If the .reloc section size is not large enough to hold the virus body, the file is not infected. It does not destroy data but can impact an infected machine's performance due to the background activity of the virus. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://wired.lycos.com/news/technology/0,1282,42672,00.html SECURITY BREACHES IN IT DIVISIONS More than 35% of IT departments have experienced unauthorised access to computer systems, with half of the incidents made up of internal breaches, a survey has found. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://it.mycareer.com.au/networking/20010328/A32550-2001Mar28.html SECURITY SOLUTIONS IN THE REAL WORLD The most secure computer system is the one that's unplugged and buried 10 feet underground, according to security expert Paul Raines. But there are specific steps a company can take to reduce security threats to their live systems - whether from external hackers or disgruntled IT workers. Raines, head of global information risk management for Barclays Capital, laid out those steps to security professionals here at the eSecurity Conference & Exposition in his session entitled, "Security In the Real World." Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.networkweek.com/wire/story/TWB20010328S0007 EXPERTS DEBATE SEVERITY OF 'WINUX' VIRUSS Even though there have been no reported cases of infection by the virus - which is incapable of spreading itself via the Internet or e-mail - some anti- virus vendors hailed the program, known variously as "Winux" and "Lindose," as marking the beginning of a new era of virus writing. "It's only interesting in the sense that it shows virus writers are becoming more interested in Linux," said Graham Cluley, senior technology consultant at Sophos Inc., a British anti-virus vendor with U.S. headquarters in Wakefield, Mass. "It's very simple and not likely to spread on any big scale. Its real effect is wasting people's time." Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdnet.com/eweek/stories/general/0,11011,2702054,00.html CHECK POINT FIREWALL-1 ON LINUX, PART THREE This is the third and final article in a series devoted to the exploration of Check Point Firewall-1 for Linux. In the first article we discussed single and multisystem installation and post-installation tasks. The second article explored Firewall-1 concepts such as network objects, firewall rules, address translation rules, and NAT, as well as features and limitations of Firewall-1. In this installment, we will go over aspects of Firewall-1 such as file and directory layout, rulesets, migrating existing Firewall-1 installations to Linux, and backup and standby configurations. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.securityfocus.com/focus/linux/articles/checkpoint3.html SUEXEC KEEPS YOU IN CONTROL OF YOUR SYSTEMS One of the biggest problems for both Web hosting providers and clients is server security. How do you provide a flexible server environment for the client while maintaining some level of security? In this article, Jamie Wilson explains how the Apache Web server and the suEXEC module make that possible. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.unixinsider.com/unixinsideronline/swol-03-2001/swol-0323-suexec.html GETTING STARTED WITH NETWORKING FOR LINUX Josh Boudreau writes a great tutorial on setting up a network with Linux, all the way from the various networking layers to running telnet and ftp on your Local Area Network (LAN). Link: http://www.linux.com/firststep/newsitem.phtml?sid=1&aid=11991 REVIEWING YOUR X WINDOW SECURITY "In this article we've shown you how insecure X communication can be and what to do in order to provide safe X client-server communication. Depending on the level of security you need to implement, use xhost, xauth or Secure RPC X authentication methods. But no matter what, make sure you implement some form of security. Protect your own X server!" Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.elementkjournals.com/sun/0104/sun0141.htm WELSH HACKER FACES JAIL SENTENCE A hacker who was tracked down to his home in a tiny village in Wales has admitted to hacking into websites between February and March last year for his own gain and may now face a jail sentence. In a pre-trial hearing in court yesterday, 19-year-old computer science student Raphael Gray admitted hacking into the websites of companies such as nettrading, salesgate, feelgoodfalls, mostorefront, albionsmo and the American Society of Clinical Pathologists. He also admitted to stealing credit card information from the exploited sites, using the details for his own gain and offering to supply them to other criminals. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://thebusiness.vnunet.com/News/1119903 DEVELOPING A SUCCESSFUL INFORMATION SECURITY PROCESS Part of any organization's information security program for protecting enterprise components and the information supporting business functions is the risk assessment process implemented and actually followed by that organization. Assessment results must provide cost-effective and management-approved corrective actions that mitigate potential risks down to an acceptable level for network operation and business function. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://securityportal.com/articles/risk20010329.html CONSIDERATIONS OF A FIREWALL: PART 1 If you're upgrading your firewall, or installing one on your network for the first time, you'll discover that firewall technology has changed a lot in the last several years. How do you select one that's appropriate for your business? Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdnetasia.com/biztech/security/story/0%2C2000010816%2C20192642%2C00.htm THE APRIL FOOLS 2001 BUG IN WINDOWS There is a time-related bug in Windows. It turns out the bug is going to hit on this Sunday (01.04.2001). Applications built with certain versions of Visual C++ could start giving the wrong time of day starting on Sunday. The problem will last for a week. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://msdn.microsoft.com/visualc/headlines/2001.asp SUSE: KERNEL BACKDOOR (APRIL FOOL'S JOKE) Roman Drahtmüller send this message to the suse-security-announce mailing list in regards to an April Fools joke that some people are taking a little bit too seriously... Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.linuxsecurity.com/articles/hackscracks_article-2767.html WAR DRIVING - THE LATEST HACKER FAD The introduction of wireless networking has spawned a fresh sub-culture in the digital underground. It has brought script kiddies out of their bedrooms and onto the roads. War dialling, the hacking practice of phoning up every extension of a corporate phone network until the number associated with a firm's modem bank is hit upon, has been replaced by war driving with the introduction of wireless LANS. Our source tell us that war driving, which is apparently particular popular in Silicon Valley, involves motoring between likely target firms with a PC fitted with a LAN card and trying to break into their networks. Giving the flakey state of wireless security models this is normally childishly simple with even basic cracking tools. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.theregister.co.uk/content/8/17976.html CEBIT - HACKERS GIVE SIEMENS NET FILTER MOCK 'AWARD' The German hackers' group Chaos Computer Club (CCC) has presented its annual satiric Chaos CeBIT Award, at the CeBIT 2001 trade show, to Siemens AG for the company's "SmartFilter" software. The group said it was honoring Siemens's "special services" in the area of "Internet censorship and obstacles to communication." SmartFilter is a Web filtering tool based on a "control list" of Web site categories and blocked sites. The software is implemented on Siemens's internal servers, and is also available for sale to external customers. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.cnn.com/2001/TECH/industry/03/29/cebit.hackers.award.idg/index.html THE SECURITY IMPLICATIONS OF OPEN SOURCE SOFTWARE Natalie Whitlock talks about the incongruence of closed security systems, and the open source solution. She discusses Eric Raymond's ideas, the famous "back door" in Microsoft's FrontPage, the concept of peer review, and the open source dilemma that no one is at the helm guaranteeing that everything will be checked. She then follows the idea from theory to practice and talks with leading IT executives about the viability and popularity of secure open source systems. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www-106.ibm.com/developerworks/linux/library/l-oss.html COPS NAB FIRST ITALIAN VIRUS SUSPECT Italian police have arrested a man suspected of writing the Vierika computer virus, similar to the Kournikova virus which overloaded computer systems around the world last month. The man is believed to be the first Italian charged with virus writing. In a twist, however, Vierika is not believed to have caused much damage. Industry experts said the Italian authorities appear to be making an example out of the suspect, to discourage other virus writers. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdnet.co.uk/news/2001/12/ns-21943.html ENGARDE SECURE LINUX AVAILABLE FOR DOWNLOAD EnGarde improves the security of existing versions of Linux in critical areas with advanced forms of data integrity management and assurance, a complete suite of e-business services, intrusion alert capabilities, improved authentication and access control utilizing strong cryptography, and complete SSL secure web based administration capabilities. Users familiar with the history of Linux have become accustomed to its stability, versatility, and scalability. Now, with EnGarde, Guardian Digital has added unsurpassed security. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.engardelinux.com/announce.html HACKERS WORSE THAN TERRORISTS - ROBIN COOK Hackers are a greater threat than terrorists, Foreign Secretary Robin Cook reckons. Speaking in Parliament yesterday, he said that a "computer-based attack could cripple the nation more quickly than a military strike". Cook made the claims in a debate on the work of the intelligence services. But where have we heard these claims before? Ah, yes the US National Security Agency, whose director Air Force General Michael Hayden said last November: "The virtual battlefield has "taken on a dimension within which we will conduct operations to ensure American security." Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.theregister.co.uk/content/8/17986.html OPENHACK: DID HE WIN OR NOT? A hacker is claming that he has won Argus' ballyhooed OpenHack III competition by cracking its much-vaunted PitBull security system. Argus concedes the crack, but isn't awarding the promised big cash prize. The same challenge was offered at the European technology conference CeBit this week. This time, one person says he was able to crack the system. But he evidently missed the deadline. A hacker calling himself Bladez won't receive the $4,250 prize offered by Argus because he says he misunderstood what time the competition ended and was under the impression that he had a few hours left to work. Bladez said that he is worried that Argus Systems will hail the CeBit competition as another success or "will simply stay quiet and thrive off their OpenHack coverage. In fact, an Argus Systems employee told me there would probably be no press release, though it wasn't clear if this was because of my hack or not." Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.wired.com/news/technology/0,1282,42747,00.html DON'T BE A FOOL Be sure to update your software and be ready for hoaxes and bugs this April Fool's Day! Every year, users fall victim to pranks or malware attacks. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://securityportal.com/articles/fool20010330.html ENGARDE SECURE LINUX QUICK START This EnGarde Quick Start guide is designed to help you quickly set up EnGarde Secure Linux, change user passwords, and manage certificates. Although this document is sufficient, we recommend you read the complete user manual for a full understanding of the system. EnGarde Secure Linux comes with an easy to use front-end for installing the operating system. Described in the following sections are the system requirements to successfully complete the installation and run EnGarde Secure Linux. Link: http://ftp.engardelinux.org/pub/engarde/1.0.1/docs/ESLQuick-1.0.1.pdf HACKERS: CORPORATE SECURITY STINKS! Companies are paying more attention to safeguarding their digital assets, but the overall state of corporate data security is still poor, said hackers and security experts attending the CanSecWest conference. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.msnbc.com/news/552177.asp SYSTEM ADMINISTRATION OF APACHE / TOMCAT Learn all about the pros and cons of JSP web applications at the sysadmin level, including installation and configuration of Apache /Tomcat. This article will give you the basics on object-oriented development efforts, making scaling of your Web site a simple process. Jump into the world of Java Servlets and JSP with Linux! Link: http://www.linux.com/sysadmin/newsitem.phtml?sid=1&aid=11992 ---------------------------------------------------------------------------- Security issues --------------- All vulnerabilities are located at: http://net-security.org/text/bugs ---------------------------------------------------------------------------- ELRON IM PRODUCTS VULNERABILITY At least two products of the Elron Internet Manager family of tools contain directory traversal vulnerabilities. The problem exists in the following products: - IM Message Inspector - IM Anti-Virus Elron Internet Manager products that are not vulnerable are: - IM Firewall If the IM Web Inspector comes with Elron Software's proprietary web server as well, it is undoubtedly vulnerable as well. Link: http://www.net-security.org/text/bugs/985571836,4823,.shtml AKOPIA INTERCHANGE E-COMMERCE PROBLEMS A serious security vulnerability has been found in the default installation of the Interchange demo stores 'barry', 'basic', and 'construct' distributed in Interchange versions 4.5.3 through 4.6.3. Using a group login that had no password set by default, it is possible to log in to the back-end administration area and view and alter products, orders, and customer information. Link: http://www.net-security.org/text/bugs/985571971,72095,.shtml ILMI COMMUNITY IN OLICOM/CROSSCOMM ROUTERS Crosscomm/Olicom routers have a undocumented community string ILMI (yes, the same as in cisco :) that has read and write permissions (i didn't check the whole tree, but you can set system.sysContact.0 for example). This was checked on a XLT-F router with software 'XL 80 IM Version 5.5 Build Level 2' (this was what it reported via snmp). Link: http://www.net-security.org/text/bugs/985632784,11513,.shtml MDAEMON IMAP DENIAL OF SERVICE Some of the commands for the IMAP server do not have proper bounds checking, enabling a user to shutdown the service remotely.It should be noted that a user account is required.The commands affected are SELECT and EXAMINE.The SELECT command selects a mailbox so that messages in it can be accessed.EXAMINE works in the same way as SELECT, however the mailbox is marked as read- only and cannot be modified. Link: http://www.net-security.org/text/bugs/985632878,8973,.shtml RAPTOR 6.5 HTTP VULNERABILITY The Raptor firewall is vulnerability for forwarding http request on other port numbers than 80, if a rule allows http traffic.Redirect rules does not affect this problem. When an extern or internal client, configures itself to use the nearest interface as proxy, it's possible to access other ports that 80 on the target host. Link: http://www.net-security.org/text/bugs/985632976,78240,.shtml BEA WEBLOGIC UNICODE DIRECTORY BROWSING By requesting a URL and ending it with one of the following unicode representations: %00, %2e, %2f or %5c, it is possible to bypass the listing of the default document (eg. index.html) and browse the content of the web folders. Link: http://www.net-security.org/text/bugs/985658808,90631,.shtml PROBLEMS WITH WEBLOGIC 4.5.1 AND 5.1 It is interesting to note that similar (in fact, worse) behaviour is exhibited in both Weblogic 4.5.1 and 5.1. Appending a '%00' to the end of a .jsp request retrieves the source of the jsp. Link: http://www.net-security.org/text/bugs/985694957,71506,.shtml LINUX MANDRAKE - OPENSSH UPDATE There are several weaknesses in various implementations of the SSH protocols. When exploited, they let the attacker obtain sensitive information by passively monitoring encrypted SSH sessions. The information can later be used to speed up brute-force attacks on passwords, including the initial login password and other passwords appearing in interactive SSH sessions, such as those used with su. Versions of OpenSSH 2.5.2 and later have been fixed to reduce the impact of these traffic analysis problems, and as such all Linux- Mandrake users are encouraged to upgrade their version of openssh immediately. Link: http://www.net-security.org/text/bugs/985695208,67583,.shtml ANACONDA CLIPPER VULNERABILITY Comment: '..' and '/' are not filtered while processing user input, so it is possible to enter arbitrary values to retreive files from remote sever, which should not be accessible normally (for ex., /etc/passwd). Link: http://www.net-security.org/text/bugs/985727518,50822,.shtml SOLARIS /USR/BIN/TIP VULNERABILITY The tip program is installed setuid uucp by default in Solaris, it contains a vulnerability in handling data from enviroment variables, if this variable exceeds predefined lenght an exploitable stack overflow can occur. Through exploiting this vulnerability an attacker can gain effective uid uucp and through that root. Link: http://www.net-security.org/text/bugs/985727795,52777,.shtml IMMUNIX OS SECURITY ADVISORY: KERNEL The 2.2.19 kernel release fixes numerous security problems including the ptrace/execve race condition bug that was reported by Wojciech Purczynski. Link: http://www.net-security.org/text/bugs/985781896,12557,.shtml CONECTIVA LINUX - LICQ UPDATE "licq" is a very popular ICQ graphical client. Previous versions have two vulnerabilities that could be exploited by a remote attacker to execute arbitrary commands on the client host. The first vulnerability is a buffer overflow in a log function. The second vulnerability consists in the use of the system() function to invoke an external browser when an URL is received. This function will expand and interpret shell characters and this could be used to execute commands on behalf of the user running licq. Link: http://www.net-security.org/text/bugs/985781950,25662,.shtml LINUX MANDRAKE - VIM UPDATE Users could embed malicious VIM control codes into a file, and as soon as any user opened that file in vim-enhanced or vim-X11 with the status line option enabled in .vimrc, the commands would be executed as that user. Link: http://www.net-security.org/text/bugs/985781974,91775,.shtml SONICWALL IKE PRE-SHARED KEY LENGTH BUG The limitation of using only a 48 byte key as opposed to using a full 128 byte key degrades the overall security of the firewall. Link: http://www.net-security.org/text/bugs/985782130,58962,.shtml SYMANTEC RESPONSE REGARDING RAPTOR BUG The first point we would like to make is that although we do agree with the authors as it relates to the security implication of the described HTTP functionality we do not accept the assertion that this is a product related issue with the Raptor Firewall (HTTP proxy). Rather, our Raptor Firewall HTTP proxy is RFC-compliant, and as such it is behaving consistently with the specification as described in RFC 2616. From a pure protocol perspective, this is a valid HTTP connection and thus the traffic is being allowed through the firewall with a proper rule. However, recognizing the security impact of this configuration, the Raptor Firewall provides you with the capability to shut down this functionality by setting a configuration option (http.noproxy) through our configuration files or the RMC. Link: http://www.net-security.org/text/bugs/985782335,57110,.shtml PROBLEMS WITH DCOM VB T-SQL DEBUGGER Microsoft Developer Studio version 6 installs a world-launchable DCOM object, known as the VB T-SQL Debugger, which contains an exploitable buffer overflow. Link: http://www.net-security.org/text/bugs/985782436,4158,.shtml MYSQL 3.23.36 FIXES SECURITY HOLES This release should fix the final bugs we accidently got into 3.23.34 and a long security bug that has been in MySQL a long time! The main fixed bugs are that UPDATE didn't always use keys when updating on something not based on a primary key and that 'affected rows' wasn't returned to the client if the mysqld server wasn't compiled with support for transactions. Link: http://www.net-security.org/text/bugs/985782554,94105,.shtml VPN3000 CONCENTRATOR TELNET VULNERABILITY Sending a flood of data to the SSL or regular telnet port can cause the Cisco VPN 3000 series concentrators to reboot. After rebooting, the equipment would function normally until the flood of data is sent again. To remove the vulnerability, Cisco is offering free software upgrades to revision 3.0.00 for all affected platforms. The defect is described in DDTS record CSCds90807. Link: http://www.net-security.org/text/bugs/985819001,59759,.shtml INFRAMAIL DENIAL OF SERVICE VULNERABILITY There exists a paring problem in the handling of 302 pages by the server serving both the webpages and the administration interface for the members of the Inframail product family. This allows for a DoS against the system through a malformed POST request consisting of a space followed by a long string (276 bytes or more) of characters. The running services will freeze and the program will need to be restarted to regain full functionality. Link: http://www.net-security.org/text/bugs/985819085,68042,.shtml SOLARIS 2.7 + IBM WCS 4.0.1 VULNERABILITY Follow URL insert "/" will be downloading ".jsp" source. Link: http://www.net-security.org/text/bugs/985879982,82795,.shtml TOMCAT 3.0 FOR WIN2000 VULNERABILITY A security vulnerability has been found in Windows NT/2000 systems that have Tomcat 3.0 installed.The vulnerability allows remote attackers to access files outside the document root directory scope. Link: http://www.net-security.org/text/bugs/985880053,23891,.shtml ---------------------------------------------------------------------------- Security world -------------- All press releases are located at: http://net-security.org/text/press ---------------------------------------------------------------------------- COVERT LABS ON INVALID CERTIFICATES - [26.03.2001] McAfee AVERT (Anti-Virus Emergency Response Team) in conjunction with COVERT Labs (Computer Vulnerability Emergency Response Team) at PGP Security, divisions of Network Associates, Inc. advised computer users of recently discovered invalid digital certificates issued by VeriSign to an unidentified person posing as a Microsoft employee. The digital certificates, which normally are used to verify authorized issuers, could be used to authenticate viruses and malicious code. AVERT and COVERT report that no damage has been associated with the fraudulent certificates. Press release: < http://www.net-security.org/text/press/985572246,4935,.shtml > ---------------------------------------------------------------------------- TEMPEST SOFTWARE SHIPS SITESHIELD - [26.03.2001] Tempest Software, Inc. a premier provider of technology and products that facilitate secure, standards-based information exchange over the Internet, announced it is shipping Version 2 of SiteShield, the new "plug and play" software solution to secure websites. Based on Tempest's solid, proven technology, SiteShield protects all applications, data and information assets on a web server by keeping it securely behind a firewall closed to all incoming traffic. SiteShield addresses the need for e-business openness while protecting companies against potentially embarrassing and destructive hacking and security lapses. Press release: < http://www.net-security.org/text/press/985633090,77204,.shtml > ---------------------------------------------------------------------------- CISCO SYSTEMS AND MICROSOFT PARTNER - [26.03.2001] Cisco Systems, Inc. announces the first implementation of the 802.1x draft security standard shipping on its Cisco Aironet 350 Series of Wi-Fi (IEEE 802.11b) compliant wireless local area networking (WLAN) products. Cisco collaborated with Microsoft to develop, deliver and deploy the first enterprise authentication and security architecture based on the in progress Institute of Electrical and Electronics Engineers 802.1x and Extensible Authentication Protocol (EAP) standard. Through this cooperative effort between Cisco and Microsoft, enterprises can, for the first time, scale wireless deployments to thousands of users with a standard, centralized security management framework while streamlining network management and administration. Press release: < http://www.net-security.org/text/press/985633141,91936,.shtml > ---------------------------------------------------------------------------- SECURITYFOCUS' ARIS ANALYZER - [26.03.2001] SecurityFocus.com is proud to announce ARIS (Attack Registry and Intelligence Service) Analyzer. The ARIS Analyzer is a free service that allows you to submit attack data collected by intrusion detection systems and helps you manage your security incidents. ARIS Analyzer also allows you to correlate your attacks with those seen by other people. Press release: < http://www.net-security.org/text/press/985633561,34135,.shtml > ---------------------------------------------------------------------------- SECURING NEW MICROSOFT TECHNOLOGY CENTER - [27.03.2001] Rainbow Technologies, Inc., a leading provider of high-performance security solutions for the Internet and eCommerce, and iVEA Technologies, a Rainbow Technologies company, announced that Microsoft Corp. will feature Rainbow's iKey workstation security solution and iVEA's CryptoSwift eCommerce accelerator as critical components for the new Microsoft Technology Center - Silicon Valley (MTC-SV), opening in Mountain View, California. Rainbow and iVEA products are currently used in MTCs in Waltham, Mass. and Austin, Texas. The MTC-SV is a working lab dedicated to the development and rapid deployment of eCommerce solutions to both startups and established business-to-business (B2B) companies. Press release: < http://www.net-security.org/text/press/985694527,1979,.shtml > ---------------------------------------------------------------------------- SECURING ANY MESSAGING ENVIRONMENT - [27.03.2001] Addressing the increasing need for secure messaging networks, Mirapoint, a leading provider of Internet messaging infrastructure products, was announced the release of the Mirapoint Message Director, the first system optimised for securing any messaging environment. The Message Director is a scalable and easy to deploy messaging solution that can be added to any enterprise or service provider messaging environment. BMW Group is the first customer of the Message Director and will use the new product to increase message security, management and performance. Press release: < http://www.net-security.org/text/press/985694688,65075,.shtml > ---------------------------------------------------------------------------- SYGATE PERSONAL FIREWALL 4.0 ANNOUNCED - [28.03.2001] Sygate Technologies, a leading provider of Internet security software solutions, announced the release of Sygate Personal Firewall 4.0, the first personal firewall software that combines firewall and intrusion defense technologies to deliver comprehensive security and ease of use for home and small businesses. As a firewall, Sygate Personal Firewall 4.0 controls access to communication ports and monitors any port-scanning activity. As an intrusion defense agent, it only allows trusted communication and considers any other network activity `guilty until proven innocent.' As a result, Sygate Personal Firewall 4.0 secures computer systems, without the obtrusive and irrelevant alerting characteristics of other security solutions. When attacks do occur, Sygate Personal Firewall 4.0 offers forensic capabilities allowing users to find the source of intrusion and take appropriate action. Press release: < http://www.net-security.org/text/press/985744343,74897,.shtml > ---------------------------------------------------------------------------- NETWORK ICE WINS `BEST OF SHOW' - [28.03.2001] Network ICE, a leading provider of intrusion detection and protection for enterprises and consumers, won "Best of Show" at Upside Events' Preview Spring 2001 in Beverly Hills, Calif. Undercover journalists at the March 13 competition scored and ranked nearly 20 invited-only companies on innovation, user-friendliness and potential benefit to customers. ICEpac Security Suite, Network ICE's enterprise product, beat nearly 20 companies that demonstrated their latest products and technologies. ICEpac uses Network ICE's patent-pending BlackICE technology to detect, identify and block hackers' Internet attacks before they can compromise a system. The ICEpac suite is designed to protect an entire corporation's network including remote VPN users. It uses one of the most advanced intrusion detection technologies to single out hackers and stop them from breaking into your network or stealing valuable information assets. Press release: < http://www.net-security.org/text/press/985744438,94075,.shtml > ---------------------------------------------------------------------------- COMPUTER WORMS: FLASHBACK TO EARLY 90S? - [28.03.2001] With more than two thousand new computer viruses rearing their ugly heads each month, it's the worms among them that keep "hacker trackers" up at night. Unlike simple viruses, which spread from file to file in one computer, worms live short but spectacular lives, inflicting major damage quickly because they use the network to spread from computer to computer. Now that network operating systems have been available for some time, there is mounting concern among Internet security experts that the ever increasing availability of information on the "guts" of network operating systems gives hackers clues to break in and compromise a network's security. Press release: < http://www.net-security.org/text/press/985744630,4514,.shtml > ---------------------------------------------------------------------------- CENTRAL COMMAND DISCOVERS W32.WINUX - [28.03.2001] Central Command, a leading provider of PC anti-virus software and computer security services, and its partners announced the discovery of W32.Winux, the world's first cross platform virus capable of infecting computers using both the Microsoft Windows and Linux operating systems. "Today with the discovery of W32.Winux, we have received the world's first known virus capable of spreading on both Windows and Linux computer systems. While people do not share executables between these operating systems, this new proof of concept virus represents a technology innovation that may lead to more destructive viruses in the future. Our Emergency Virus Response Team discovered this new virus and has analyzed it," said Steven Sundermeier, Product Manager at Central Command Inc. Press release: < http://www.net-security.org/text/press/985783671,65011,.shtml > ---------------------------------------------------------------------------- FORENSICS EXPLORERS INTRODUCES NETINFORMANT - [30.03.2001] Forensics Explorers introduces NetInformant, a suite of products that go far beyond other network security systems and solves problems most network security software cannot even detect. In addition, NetInformant is the only network security system that can guard against the most dangerous and difficult to detect threats: threats from an organizations trusted employees, clients and strategic partners, the people who operate behind the firewall. While most network security software merely tracks network activity and compares it to a list of known security risks, or calculates whether specific activity is statistically unusual, NetInformant audits and evaluates all network activity, flags network security management when potential client-specified issues arise, and produces action items which can be implemented immediately. Press release: < http://www.net-security.org/text/press/985912691,88510,.shtml > ---------------------------------------------------------------------------- Featured articles ----------------- All articles are located at: http://www.net-security.org/text/articles Articles can be contributed to staff@net-security.org Below is the list of the recently added articles. ---------------------------------------------------------------------------- TRACKING SPYWARE AND PROBES by M. E. Kabay "I'd like to share with you a recent exchange I had with a friend of mine whose system seems to have been infected with spyware. Hopefully, this case study will help you when you examine your own systems." Read more: < http://www.net-security.org/text/articles/nwf/tracking.shtml > ---------------------------------------------------------------------------- TESTING PATCHES by M. E. Kabay There are many firms, including AtomicTangerine, which can carry out penetration tests to verify that patches are up to date and functioning. Just be sure that you obtain contractual confirmation that the firm does not hire criminal hackers. The last thing you need is to have untrustworthy people testing your security. Read more: < http://www.net-security.org/text/articles/nwf/testing.shtml > ---------------------------------------------------------------------------- HTML MAIL THREATENS PRIVACY by M. E. Kabay The threat to privacy from Big Brother (governments) sometimes overshadows the equal threat from "Little Brother" (industry). Read more: < http://www.net-security.org/text/articles/nwf/html.shtml > ---------------------------------------------------------------------------- Security Software ------------------- All programs are located at: http://net-security.org/various/software ---------------------------------------------------------------------------- LIONFIND 0.1 Lion is a new worm, that is very similar to the Ramen worm. However, this worm is much more dangerous and should be taken seriously. It infects Linux machines with the BIND DNS server running. It is known to infect BIND version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px. BIND 8.2.3-REL and BIND 9 are not vulnerable. The BIND vulnerability is the TSIG vulnerability that was reported back on January 29, 2001. SANS developed a utility called Lionfind that will detect the Lion files on an infected system. Simply download it, uncompress it, and run lionfind. It will list which of the suspect files is on the system. Info/Download: < http://www.net-security.org/various/software/985822791,25782,linux.shtml > ---------------------------------------------------------------------------- CHKROOTKIT 0.30 chkrootkit is a tool to locally check for signs of a rootkit. It contains: chkrootkit: shell script that checks system binaries for rootkit modification. The following commands are examined: basename, biff, chfn, chsh, cron, date, dirname, du, echo, env, find, fingerd, grep, identd, ifconfig, inetd, killall, login, ls, mail, netstat, passwd, pidof, pop2, pop3, ps, pstree, rpcinfo, rshd, sendmail, sshd, su, syslogd, tar, tcpd, telnetd, timed, top, traceroute, write ifpromisc.c: checks if the interface is in promiscuous mode. chklastlog.c: checks for lastlog deletions. chkwtmp.c: checks for wtmp deletions. chkproc.c: checks for signs of LKM trojans. The following rootkits and worms are currently detected: lrk3, lrk4, lrk5, lrk6 (and some variants); Solaris rootkit; FreeBSD rootkit; t0rn (including latest variant); Ambient's Rootkit for Linux (ARK); Ramen Worm; rh[67]-shaper; RSHA; Romanian rootkit; RK17; Lion Worm. Info/Download: < http://www.net-security.org/various/software/985827056,98592,linux.shtml > ---------------------------------------------------------------------------- Defaced archives ------------------------ [26.03.2001] Original: http://enlint003.ericsson.nl/ Defaced: http://defaced.alldas.de/mirror/2001/03/26/enlint003.ericsson.nl/ OS: Windows Original: http://pokemon.nintendo.es/ Defaced: http://defaced.alldas.de/mirror/2001/03/26/pokemon.nintendo.es/ OS: Windows Original: http://www.necworx.nec.com/ Defaced: http://defaced.alldas.de/mirror/2001/03/26/www.necworx.nec.com/ OS: Windows Original: http://www.suizhong.gov.cn/ Defaced: http://defaced.alldas.de/mirror/2001/03/26/www.suizhong.gov.cn/ OS: Windows Original: http://c3-svr.hq.nato.int/ Defaced: http://defaced.alldas.de/mirror/2001/03/26/c3-svr.hq.nato.int/ OS: Windows Original: http://www.intelsat.int/ Defaced: http://defaced.alldas.de/mirror/2001/03/26/www.intelsat.int/ OS: Windows [27.03.2001] Original: http://www.tjciq.gov.cn/ Defaced: http://defaced.alldas.de/mirror/2001/03/27/www.tjciq.gov.cn/ OS: Windows Original: http://www.microsoft.economy.ru/ Defaced: http://defaced.alldas.de/mirror/2001/03/27/www.microsoft.economy.ru/ OS: Windows Original: http://www.shangyu.gov.cn/ Defaced: http://defaced.alldas.de/mirror/2001/03/27/www.shangyu.gov.cn/ OS: Windows Original: http://www.hertz.fi/ Defaced: http://defaced.alldas.de/mirror/2001/03/27/www.hertz.fi/ OS: Windows Original: http://www.foundry.sony.com/ Defaced: http://defaced.alldas.de/mirror/2001/03/27/www.foundry.sony.com/ OS: Windows [28.03.2001] Original: http://www.yahoo.com.ph/ Defaced: http://defaced.alldas.de/mirror/2001/03/28/www.yahoo.com.ph/ OS: Unknown Original: http://www.volvo.com.tw/ Defaced: http://defaced.alldas.de/mirror/2001/03/28/www.volvo.com.tw/ OS: Unknown Original: http://www.travel.gov.cn/ Defaced: http://defaced.alldas.de/mirror/2001/03/28/www.travel.gov.cn/ OS: Windows Original: http://www.telefonica.com.uy/ Defaced: http://defaced.alldas.de/mirror/2001/03/28/www.telefonica.com.uy/ OS: Linux [29.03.2001] Original: http://www.telfort.ericsson.nl/ Defaced: http://defaced.alldas.de/mirror/2001/03/29/www.telfort.ericsson.nl/ OS: Windows Original: http://enlint004.ericsson.nl/ Defaced: http://defaced.alldas.de/mirror/2001/03/29/enlint004.ericsson.nl/ OS: Windows Original: http://www.ebay.co.th/ Defaced: http://defaced.alldas.de/mirror/2001/03/29/www.ebay.co.th/ OS: Windows Original: http://www.agrisd.gov.cn/ Defaced: http://defaced.alldas.de/mirror/2001/03/29/www.agrisd.gov.cn/ OS: Windows [30.03.2001] Original: http://www.contraloriadecundinamarca.gov.co/ Defaced: http://defaced.alldas.de/mirror/2001/03/30/www.contraloriadecundinamarca.gov.co/ OS: Windows Original: http://harita.intel.com/ Defaced: http://defaced.alldas.de/mirror/2001/03/30/harita.intel.com/ OS: Windows Original: http://www.camaragyn.go.gov.br/ Defaced: http://defaced.alldas.de/mirror/2001/03/30/www.camaragyn.go.gov.br/ OS: Windows [31.03.2001] Original: http://shop.europe.creative.com/ Defaced: http://defaced.alldas.de/mirror/2001/03/31/shop.europe.creative.com/ OS: Unknown Original: http://www.canon-office.co.uk/ Defaced: http://defaced.alldas.de/mirror/2001/03/31/www.canon-office.co.uk/ OS: Windows Original: http://www.renault.pt/ Defaced: http://defaced.alldas.de/mirror/2001/03/31/www.renault.pt/ OS: Windows Original: http://www.peugeot.sk/ Defaced: http://defaced.alldas.de/mirror/2001/03/31/www.peugeot.sk/ OS: Unknown Original: http://www.martini.com/ Defaced: http://defaced.alldas.de/mirror/2001/03/31/www.martini.com/ OS: Windows Original: http://www.panasonic-office.co.uk/ Defaced: http://defaced.alldas.de/mirror/2001/03/31/www.panasonic-office.co.uk/ OS: Windows ---------------------------------------------------------------------------- Questions, contributions, comments or ideas go to: Help Net Security staff staff@net-security.org http://net-security.org http://security-db.com