Net-Sec newsletter Issue 24 - 01.08.2000 http://net-security.org Net-Sec is a newsletter delivered to you by Help Net Security. It covers weekly roundups of security events that were in the news the past week. Visit Help Net Security for the latest security news - http://www.net-security.org. Subscribe to this weekly digest on: http://www.net-security.org/text/newsletter Table of contents: 1) General security news 2) Security issues 3) Security world 4) Featured articles 5) Security books 6) Defaced archives ============================================================ Sponsored by Kaspersky Lab - You Personal Anti-Virus Guard ============================================================ The Breakthrough Technology Protecting Your Computers From Viruses! Subscribe to Kaspersky Lab's FREE newsletter delivering you the latest and trustworthy information source on computer viruses and their counter measures. You will always be up to date when securing your computer! Join now! http://www.kasperskylab.ru/eng/news/maillist.asp ============================================================ General security news --------------------- ---------------------------------------------------------------------------- PICKING THE LOCKS ON THE INTERNET SECURITY MARKET "Another day, another e-commerce break-in ... The problem, argue a number of new startups, isn't products. It's people." Link: http://www.redherring.com/insider/2000/0724/tech-fea-security-home.html WE'RE STILL GETTING SECURITY WRONG Worries about security, and justified ones at that, could still stop the eCommerce bandwagon in its tracks, it seems. The recent revelation of a security loophole in MS Outlook has been followed by a report from IDC asserting that corporate Europe is still adopting the wrong approach to strengthening the security of its systems. Link: http://www.it-director.com/00-07-25-3.html EVALUATION TECHNOLOGY FOR INTERNATIONAL SECURITY STANDARD The international standard serves as a framework for establishing system reliability by a product's functions, quality, operation and management. More specifically, the standard prescribes requirements for the functioning and quality of the security component that systems must meet to prevent intrusion and unauthorized access. Link: http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/news/108225 COST OF INTRUSIONS Enterprises hiring reformed crackers to expose their soft underbellies will only add to the more than $2.6 trillion lost worldwide annually because of security intrusions, warns professional services firm PricewaterhouseCoopers. Link: http://www.it.fairfax.com.au/industry/20000725/A26681-2000Jul24.html MICROSOFT SECURITY EXECUTIVE PROMISES IMPROVEMENTS The man who receives more complaints about the security of Microsoft Corp.'s software than anyone on the planet vowed here yesterday that the company's products are improving in quality and will continue to become more secure. Link: http://www.idg.net/ic_204796_1794_9-10000.html Can we believe that? Comment this in our forum: http://www.net-security.org/phorum/read.php?f=2&i=41&t=41 WHY PEOPLE NEED OUTLOOK With all this problems with Microsoft Outlook, people are wondering why do others use Outlook rather than some other mail clients. On HNS forum, Ladi wrote her opinion on "Why is Outlook so widely used in corporate environments?". Link: http://www.net-security.org/phorum/read.php?f=2&i=39&t=29 DEFACEMENTS BY WEBSERVER Attrition published statistics entitled "Defacements by Webserver August 01, 1999 - July 22, 2000". According to the stats, Microsoft IIS had the biggest number of defacements. Link: http://www.attrition.org/mirror/attrition/webserver-graphs.html ERROR AND ATTACK TOLERANCE OF COMPLEX NETWORKS The Internet's reliance on only a few key nodes makes it especially vulnerable to organized computer attacks, according to a new study on the structure of the worldwide network. Link: http://www.nature.com/cgi-taf/DynaPage.taf?file=/nature/journal/v406/n6794/full/406378a0_fs.html SECURITY POLICY Marcus Ranum, chief technology officer at NFR: "We are creating hordes and hordes of script kiddies. They are like cockroaches. There are so many script kiddies attacking our networks that it's hard to find the real serious attackers because of all the chaotic noise." Link: http://news.excite.com/news/zd/000726/18/silence-the-best NSA OFFICIAL BLASTS AT SECURITY VENDORS The National Security Agency's senior technical director Thursday lambasted developers of security tools, which he said were so weak that they encouraged attacks by computer crackers. Link: http://www.infoworld.com/articles/hn/xml/00/07/28/000728hnnsa.xml BRITISH VERSION OF CARNIVORE IS NOW LAW The British government approved the Regulation of Investigatory Powers (RIP) that allows British law-enforcement agencies to force ISPs to hand over 'Net traffic logs and encrypted e-mail messages, along with the decryption keys needed to read their content. ISPs will have to set up secure channels to the government's monitoring center and to install "black boxes" that will do the tracking if the government issues a notice and has a warrant asking the ISP to do so. Link: http://www.geek.com/news/geeknews/q22000/gee2000728001991.htm HOW THE FBI INVESTIGATES COMPUTER CRIME This guide provides information about the federal investigative and prosecutive process for computer related crimes. It will help you understand some of the guidelines, policies, and resources used by the Federal Bureau of Investigation when it investigates computer crime. Link: http://www.cert.org/tech_tips/FBI_investigates_crime.html TOOL TRACES DENIAL OF SERVICE SOURCES The Internet Engineering Task Force (IETF) is working on technology that will minimise the problem of denial of service attacks by making it possible to quickly trace the source of the attack. The organisation last week formed a working group to develop ICMP Traceback Messages, which would allow network administrators to trace the path packets take through the internet. Link: http://www.vnunet.com/News/1107643 RECRUITING HACKERS Department of Defense and military officials turned a hacker conference into a recruiting drive Friday, trying to woo the best and the brightest into becoming security experts. Link: http://www.zdnet.com/zdnn/stories/news/0,4586,2609334,00.html DEFCON Defcon has always been an event known as much for its intensive technical content - talks on "advanced buffer overflow techniques" are de rigueur - as its social opportunities, but this year it seems to have become more party than conference. Call it the new American geek holiday. Link: http://www.wired.com/news/culture/0,1284,37896,00.html ---------------------------------------------------------------------------- Security issues --------------- All vulnerabilities are located at: http://net-security.org/text/bugs ---------------------------------------------------------------------------- VULNERABILITY IN NETSCAPE BROWSERS This advisory explains a vulnerability in Netscape browsers present since at least version 3.0 and up to Netscape 4.73 and Mozilla M15. The vulnerability is fixed in Netscape 4.74 and Mozilla M16. Link: http://www.net-security.org/text/bugs/964528232,40698,.shtml IBM WEBSPHERE VULNERABILITY A show code vulnerability exists with IBM's Websphere allowing an attacker to view the source code of any file within the web document root of the web server. Link: http://www.net-security.org/text/bugs/964528397,78068,.shtml ANALOGX PROXY DOS AnalogX Proxy is a simple but effective proxy server that has the ability to proxy requests for the following services: HTTP, HTTPS, SOCKS4, SOCKS4a, SOCKS5, NNTP, POP3, SMTP, FTP. Using commands of an appropriate length, many of the services exhibit unchecked buffers causing the proxy server to crash with an invalid page fault thus creating a denial of service. Normally this would only be a concern for users on the LAN side of the proxy, but by default Proxy is configured to bind to all interfaces on the host and so this would be exploitable remotely from over the Internet. Link: http://www.net-security.org/text/bugs/964577654,52746,.shtml PATCH FOR "NETBIOS NAME SERVER PROTOCOL SPOOFING" Microsoft has released a patch that eliminates a security vulnerability in a protocol implemented in Microsoft Windows systems. It could be used to cause a machine to refuse to respond to requests for service. Link: http://www.net-security.org/text/bugs/964789771,23452,.shtml BEA'S WEBLOGIC SHOW CODE VULNERABILITY Two show code vulnerabilities exist with BEA's WebLogic 5.1.0 allowing an attacker to view the source code of any file within the web document root of the web server. Depending on web application and directory structure attacker can access and view unauthorized files. Link: http://www.net-security.org/text/bugs/964901015,87907,.shtml ---------------------------------------------------------------------------- Security world -------------- All press releases are located at: http://net-security.org/text/press ---------------------------------------------------------------------------- E-SHOPPING MADE FAST, EFFICIENT AND SECURE - [24.07.2000] JAWS Technologies Inc. announced that it has signed a memorandum of understanding with iSolver.com to integrate JAWS security solutions into iSolver's technology and facilities. JAWS will develop new secure Internet encryption products to support iSolver's Universal Cart Technology (UCT). In addition, JAWS will validate, develop and deliver security concepts for all new Internet applications conceived by iSolver. The two firms expect to complete a definitive Business Partnership Agreement Aug. 1, 2000, which will have JAWS provide for a total security solution to support iSolver's business offering. Press release: < http://www.net-security.org/text/press/964399208,14554,.shtml > ---------------------------------------------------------------------------- JAVA-BASED B2B TECHNOLOGY TO ALLOW DIGITAL SIGNATURES - [24.07.2000] With the recent passage of the landmark Electronics Signature Act giving digital signatures legal validity, Cyclone Commerce, Inc. continues to take the lead in making E-Signatures an eCommerce reality. With its flagship product, Cyclone Interchange, organizations can apply valid and secure digital signatures to every document sent. This is made possible by Cyclone CrossWorks Security Framework, a revolutionary technology the company pioneered. Press release: < http://www.net-security.org/text/press/964475791,79890,.shtml > ---------------------------------------------------------------------------- ZKS PREVIEWS LINUX VERSION OF FREEDOM - [24.07.2000] Zero-Knowledge Systems, the leading developer of privacy solutions for consumers and companies, will release its first source code. Mike Shaver, Zero-Knowledge's Chief Software Officer, last week previewed the Linux client of the company's award-winning privacy software, Freedom at the Ottawa Linux Symposium. In this first source release, Zero-Knowledge will release the source code of the Freedom Linux kernel interface. Press release: < http://www.net-security.org/text/press/964475936,91408,.shtml > ---------------------------------------------------------------------------- RAINBOW SIGNS NEW CRYPTOSWIFT OEM AGREEMENT - [25.07.2000] Rainbow Technologies, Inc., a leading provider of high-performance security solutions for the Internet and eCommerce, today announced that the company has signed a major OEM agreement with a leading provider of next-generation Internet infrastructure solutions - and has received an initial order of nearly $1 million. Rainbow's CryptoSwift eCommerce accelerator is a key component in a new family of products designed to enable eBusinesses to meet the demands resulting from the rapid growth of the Internet. This new family of products are optimized to manage Web traffic - and provide the high performance and availability of leading networking infrastructure solutions. Press release: < http://www.net-security.org/text/press/964482291,24441,.shtml > ---------------------------------------------------------------------------- SYBARI'S ANTIGEN SELECTED BY SUNBELT SOFTWARE - [25.07.2000] Sybari Software, Inc., the premier antivirus and security specialist for groupware solutions today, announced that it has been selected by Sunbelt Software, the No. 1 provider of "best-of-breed" solutions for Windows 2000/NT, for antivirus protection of their groupware environment. "We needed something we knew could protect our groupware. A network disabled, even for a short while, from a virus attack is not acceptable," said Stu Sjouwerman, president of Sunbelt Software. Press release: < http://www.net-security.org/text/press/964482448,58117,.shtml > ---------------------------------------------------------------------------- DEFENDNET SOLUTIONS PARTNERS WITH TREND MICRO - [25.07.2000] DefendNet Solutions Inc., a leading provider of total managed security solutions for the Internet, today announced that it has partnered with Trend Micro Inc. to deliver virus scanning services based on Trend Micro's award-winning InterScan VirusWall technology. By incorporating Trend Micro's InterScan antivirus software into its comprehensive suite of managed security offerings, DefendNet will enable its carrier partners to offer remotely managed gateway virus protection to their corporate customers. Press release: < http://www.net-security.org/text/press/964482508,73308,.shtml > ---------------------------------------------------------------------------- SYMANTEC STRENGHTENS WITH ACQUISITION OF AXENT - [27.07.2000] Symantec Corp. and AXENT Technologies, announced that their boards of directors have approved the acquisition of AXENT by Symantec in a stock-for-stock transaction valued at approximately $975 million. The combination of the two companies will create a new leader in Internet security for enterprise customers. Under the agreement, AXENT shareholders will receive in a tax-free exchange 0.50 shares of Symantec common stock for each share of AXENT common stock they own. Press release: < http://www.net-security.org/text/press/964717984,72585,.shtml > ---------------------------------------------------------------------------- 'HACK PROOFING YOUR NETWORK' - [28.07.2000] Syngress Publishing, Inc., today announced the publication of "Hack Proofing Your Network: Internet Tradecraft" by Ryan Russell and with contributing grey-hat hackers such as "Mudge," "Rain Forest Puppy," "Caezar," "Effugas," and "Blue Boar." The premise of the book is "The only way to stop a hacker is to think like one." It provides a tour of information security from the hacker's perspective and offers practical advice for fending off local and remote network attacks. The book is divided into four parts on theory and ideals, local attacks, remote attacks, and reporting. Press release: < http://www.net-security.org/text/press/964790472,38581,.shtml > ---------------------------------------------------------------------------- FREE INDUSTRY-LEADING ANTI-VIRUS SOLUTION - [28.07.2000] Verio Inc. and Computer Associates International, Inc. today announced that the two companies have entered into a partnership to help ensure safe computing in eBusiness environments. The alliance provides Verio with the opportunity to offer its 400,000 customers a free, downloadable version of CA's award-winning anti-virus solution, InoculateIT Personal Edition. The anti-virus software is a component of eTrust, CA's comprehensive Internet security solutions suite. Press release: < http://www.net-security.org/text/press/964790527,6132,.shtml > ---------------------------------------------------------------------------- @STAKE ACQUIRES CERBERUS INFORMATION SECURITY - [27.07.2000] @stake, the world's leading Internet security professional services firm, today announced the acquisition of London-based Cerberus Information Security, Ltd, specialists in penetration testing and security auditing services. As a result of today's acquisition, @stake has formalized its entry into the European market, paving the way for further global expansion. With this agreement, CIS' security specialists will become @stake security consultants. In addition, @stake will inherit CIS' client base, a roster of more than 20 blue-chip clients based in the UK. Financial terms of the acquisition were not disclosed. Press release: < http://www.net-security.org/text/press/964837499,43578,.shtml > ---------------------------------------------------------------------------- Featured articles ----------------- All articles are located at: http://www.net-security.org/text/articles Articles can be contributed to staff@net-security.org Listed below are some of the recently added articles. ---------------------------------------------------------------------------- MACRO VIRUSES: BACKGROUND, TRUTH ABOUT THE THREAT AND METHODS OF PROTECTION by Andy Nikishin, Mike Pavluschik and Denis Zenkin from Kaspersky Lab Ltd. "About 5 years ago the term "macro virus" appeared for the first time. Despite the development of reliable security measures against such an infection and numerous reviews on macro-virus protection methods, it still arouses fear in millions of computer users..." Article: < http://www.net-security.org/text/articles/viruses/macro.shtml > ---------------------------------------------------------------------------- DIGITAL CERTIFICATES & ENCRYPTION by Lance Spitzner This is a white paper dedicated to Digital Certificates & Encryption, how they work and apply to Internet Commerce. Article: < http://www.net-security.org/text/articles/spitzner/certificates.shtml > ---------------------------------------------------------------------------- BUILDING A SECURE GATEWAY SYSTEM by Chris Stoddard "I'm going to make a couple of assumptions here, first, you know how to install Linux and are familiar with its use. Second I assume you are setting up a gateway computer permanently attached to the internet be it by cable modem, DSL or whatever and will not be used for anything else like a ftp, telnet or web server..." Article: < http://www.net-security.org/text/articles/lg_1.shtml > ---------------------------------------------------------------------------- BUILDING A SECURE GATEWAY, PART II by Chris Stoddard "In the last article, we installed Linux with only those packages we absolutly needed. (If you have not read my previous article, you should do so now, as it is the base from which this is built on.) Now comes the detail work, turning your gateway into fortress. The first thing to understand is there is no way to be completely secure." Article: < http://www.net-security.org/text/articles/lg_1-1.shtml > ---------------------------------------------------------------------------- Featured books ---------------- The HNS bookstore is located at: http://net-security.org/various/bookstore Suggestions for books to be included into our bookstore can be sent to staff@net-security.org ---------------------------------------------------------------------------- MASTERING NETWORK SECURITY Do you need to secure your network? Here's the book that will help you implement and maintain effective network security, no matter what size your network is or which NOS you're using. Packed with practical advice and indispensable information, this book systematically identifies the threats that your network faces and explains how to eliminate or minimize them. Covers all major network operating systems - NT, NetWare, and Unix - and all aspects of network security, from physical security of premises and equipment to anti-hacker countermeasures to setting up your own Virtual Private Networks. The CD includes evaluation and demonstration versions of commercial firewalls, intrusion detection software, and a complete security policy. Book: < http://www.amazon.com/exec/obidos/ASIN/0782123430/netsecurity > ---------------------------------------------------------------------------- CRYPTOGRAPHY AND NETWORK SECURITY : PRINCIPLES AND PRACTICE This book presents detailed coverage of network security technology, the standards that are being developed for security in an internetworking environment, and the practical issues involved in developing security applications. KEY TOPICS: Opening with a tutorial and survey on network security technology, this book provides a sound mathematical foundation for developing the algorithms and results that are the cornerstone of network security. Each basic building block of network security is covered, including conventional and public-key cryptography, authentication, and digital signatures, as are methods for countering hackers and other intruders and viruses. The balance of the book is devoted to an insightful and thorough discussion of all the latest important network security applications, including PGP, PEM, Kerberos, and SNMPv2 security. Book: < http://www.amazon.com/exec/obidos/ASIN/0138690170/netsecurity > ---------------------------------------------------------------------------- MAXIMUM LINUX SECURITY : A HACKER'S GUIDE TO PROTECTING YOUR LINUX SERVER AND WORKSTATION In this book, readers become familiar with scores of offensive and defensive weapons, including Crack, Tripwire, linux_sniffer, mendax, and many more. For each program, the author documents the required infrastructure (such as C or Perl), the required permissions, and a URL from which the program can be downloaded. Most valuably, he walks you through the use of each program. Readers can follow along as the author performs various hacks, including an IP spoofing attack. He lists hundreds of hacking tools in an appendix, and includes a lot of software (Linux security products, code examples, technical documents, system logs, and utilities) on the companion CD-ROM. Book: < http://www.amazon.com/exec/obidos/ASIN/0672316706/netsecurity > ---------------------------------------------------------------------------- MAXIMUM SECURITY : A HACKER'S GUIDE TO PROTECTING YOUR INTERNET SITE AND NETWORK This book is written for system administrators who need to know how to keep their systems secure from unauthorized use. The anonymous author takes a hacker's view of various systems, focusing on how the system can be cracked and how you can secure the vulnerable areas. The book makes it clear from the outset that you cannot rely on commercial software for security. Some of it is flawed, and even the best of it has to be used correctly to provide even the most basic security measures. The author scrutinizes such operating systems as Microsoft Windows, Unix, Novell, and Macintosh. He details many of the tools crackers use to attack the system, including several that have legitimate uses for system administration. Rather than merely cataloging areas of risk and showing how various flaws can be exploited, the author makes every effort to show how security holes can be avoided and remedied. An enclosed CD-ROM provides links to many of the tools and resources discussed in the book. Book: < http://www.amazon.com/exec/obidos/ASIN/0672313413/netsecurity > ---------------------------------------------------------------------------- BIG BOOK OF IPSEC RFCS: INTERNET SECURITY ARCHITECTURE The Security Architecture for the Internet Protocol, IPsec, is already defining the way organizations and individuals secure their networks. There is no single document that describes IPsec, but rather an entire body of work, the Requests for Comments (RFC's). This book compiles and organizes these important documents in a single printed volume, and adds a glossary and extensive index. This means you no longer have to wade through countless RFC's trying to find the answer to your IPsec question - all solutions are compiled in a single book, with an index that makes them even easier to locate. Every RFC describing an aspect of the IPsec standard is included here, as are descriptions of most of the cryptographic algorithms used in IPsec.Written by members of the IPsec Working Group and other Internet Engineering Task Force members, this is the most authoritative IPsec text available. Book: < http://www.amazon.com/exec/obidos/ASIN/0124558399/netsecurity > ---------------------------------------------------------------------------- ASP/MTS/ADSI WEB SECURITY A book/CD-ROM guide for software developers and system architects who are building business-critical Web solutions where security is paramount. Explains the set of Web technologies from Microsoft, with sections on security fundamentals and core technologies, and Web security programming. Technologies discussed include Active Server Pages, Microsoft Transaction Server, and Active Directory Service Interface. The accompanying CD-ROM contains source code for examples and instructions for downloading trial versions of software packages. Book: < http://www.amazon.com/exec/obidos/ASIN/0130844659/netsecurity > ---------------------------------------------------------------------------- DATABASE NATION : THE DEATH OF PRIVACY IN THE 21ST CENTURY Forget the common cold for a moment. Instead, consider the rise of "false data syndrome," a deceptive method of identification derived from numbers rather than more recognizable human traits. Simson Garfinkel couples this idea with oncepts like "data shadow" and "datasphere" in Database Nation, offering a decidedly unappealing scenario of how we have overlooked privacy with the advent of advanced technology. Garfinkel's thoroughly researched and example-rich text explores the history of identification procedures; the computerization of ID systems; how and where data is collected, tracked, and stored; and the laws that protect privacy. Book: < http://www.amazon.com/exec/obidos/ASIN/1565926536/netsecurity > ---------------------------------------------------------------------------- Defaced archives ------------------------ [23.07.2000] - Sonlife Ministries Original: http://www.sonlife.com/ Defaced: http://www.attrition.org/mirror/attrition/2000/07/23/www.sonlife.com/ [24.07.2000] - Intelligent Media Original: http://www.e-pages.com/ Defaced: http://www.attrition.org/mirror/attrition/2000/07/24/www.e-pages.com/ [24.07.2000] - icehockey.wes.army.mil Original: http://icehockey.wes.army.mil/ Defaced: http://www.attrition.org/mirror/attrition/2000/07/24/icehockey.wes.army.mil/ [24.07.2000] - Business Software Alliance Original: http://www.bsa.cz/ Defaced: http://www.attrition.org/mirror/attrition/2000/07/24/www.bsa.cz/ [24.07.2000] - NS BASIC Original: http://www.nsbasic.com/ Defaced: http://www.attrition.org/mirror/attrition/2000/07/24/www.nsbasic.com/ [25.07.2000] - mnr.gov.ru Original: http://www.mnr.gov.ru/ Defaced: http://www.attrition.org/mirror/attrition/2000/07/25/www.mnr.gov.ru/ [28.07.2000] - Def Con Web site Original: http://www.defcon.org/ Defaced: http://www.net-security.org/misc/sites/www.defcon.org/ Questions, contributions, comments or ideas go to: Help Net Security staff staff@net-security.org http://net-security.org