House Leader Presses FBI Surveillance Worries
WASHINGTON (Reuters) - House Majority leader Dick Armey may seek U.S. Justice Department
(news - web sites) budget cuts to curb the use of the FBI e-mail surveillance tool formerly known as Carnivore, a spokesman said on Thursday.
``If necessary he would consider using Congress's power of the purse to pull the plug on Carnivore,'' said the aide, Richard Diamond.
At issue is specialized software used by the FBI for court-authorized tracking of a criminal suspect's online communications with the cooperation of an Internet service provider.
Unlike other court-ordered electronic surveillance tools, Carnivore, as it is still widely known, gives law enforcers access to the communications of all the service provider's customers, critics have charged.
Here
Web at risk from new MS flaw By Robert Lemos ZDNet News
Microsoft said Monday that a "serious vulnerability" in its flagship Web server software used by computers running more than 6 million sites could allow hackers and online vandals to take control of the computers.
As first reported by CNET News.com, the flaw occurs in a component of Microsoft's Internet Information Service (IIS) software that is installed on Web servers by default, said Marc Maiffret, chief hacking officer with eEye Digital Security, the company that found the flaw.
"Pretty much any Web server (using Microsoft software) is basically left vulnerable to attack," he said. "Any hacker can basically get system-level access, which is the highest level of access on the computer," by using a program that exploits the problem.
Here
Tool feeds ads to your e-mails
Melbourne-based online marketing company, Reva Networks, is currently promoting a new e-mail
technology--Admail--that allows online advertisers to intercept e-mail messages as they enter the mail server and "wrap" them in advertising content tailored to the recipient's demographic profile.
Unlike conventional unsoliciated e-mail, where advertising arrives in the users� inbox as separate e-mail, Admail fuses advertising with the body message regardless of its origin.
Here
ONLINE PRIVACY CONCERNS DUBBED 'HYSTERIA'
A Federal Trade Commission member calls concern over online
privacy "hysteria" and suggests the average person has more privacy
today than a century ago. Commissioner Thomas Leary said he
doesn't expect any new privacy regulations from the FTC -� at least for
now. The hysteria is misplaced, he said, because there's going to be
so much data available that companies won't be able to use it in ways
that could hurt individual consumers.
Here
PRIVACY GROUP RELEASES FREE 'SNOOP-WARE'
Internet users can find out if they're being tracked online -- and who's
doing the tracking -- with free software released by a privacy group.
Bugnosis is a browser extension that detects bugs hidden on Web pages that collect info about users. At unscrupulous Web sites, the data may be passed along to third parties without the user's permission. The software released by the Privacy Foundation works for Internet Explorer 5 and up. An email version is planned.
Here
Demand for NSA's W2K Security Guidelines Overwhelms Agency's Web site
( Thursday, June 14, 2001 ) A set of security guidelines for Windows 2000 posted by
the National Security Agency last week proved so popular that NSA was forced to shut that area of its site down.
Visitors trying to access the security guidelines were greeted with a message that
NSA was reconfiguring its Web site to handle the volume of visitors interested in
downloading the guides. NSA planned to have the Windows 2000 security download portion of the site back online this week.
Here
Trojan horse exploits Microsoft Word
By Robert Lemos Special to CNET News.com June 14, 2001, 1:05 p.m. PT
A month-old flaw in Microsoft Word has opened up PCs to attack by a new Trojan horse, antivirus researchers said Thursday.
Dubbed "Goga," the malicious code poses as a Word document saved in rich text format but
actually reaches through the Net to run a Word macro--a small program that runs within the
application--saved on a Russian Web site.
"While this is not a danger to the general public, it could be a danger to somebody if there is a direct mailing to them," said Jimmy Kuo, a researcher at security software maker Network Associates.
The Trojan horse appears as text file in the rich text format, or RTF, attached to an e-mail, according to Russian antivirus software company Kaspersky Labs, which first found the malicious program.
Here
Worm targets Gates with e-mail bomb
AN E-MAIL WORM that targets systems running Microsoft's Internet Information Services
(IIS) enlists infected machines in what appears to be a hacker's vendetta against
Microsoft.
Here
Microsoft Smart Tags: Changing the Nature of Hyperlinks?
Is Microsoft preparing to fundamentally change the open nature of the Internet in favor of an infrastructure where your Web browser goes where Microsoft tells it to go? If the forthcoming release of Windows XP contained a controversial Microsoft-originated feature, the answer is yes.
Here
Microsoft Scraps Smart Tags Plan
Following weeks of outraged criticism, Microsoft Corp. Thursday backed away from plans to include the Smart Tags feature in Windows XP's Internet Explorer 6.
The Smart Tags feature would allow IE 6 to turn any word on a Web site into a link at Microsoft's discretion. That link, without the Web site author's knowledge or consent, could lead to a Microsoft site or, conceivably, the site of a Microsoft partner or even an advertiser.
Critics said the feature gives Microsoft too much leverage over how users interact with Web pages.
The company reportedly will keep the Smart Tags feature in Office XP. The final version of Windows XP is due to ship in October.
Here
and
Here
Promises of Jennifer Lopez Nude Deliver Destructive Virus
[June 1, 2001] Mimicking the OnTheFly virus which promised pictures of
Russian teen tennis star Anna Kournikova, this new LoveLetter variant
promises Jennifer Lopez instead.
Here
Apache Survives Server Crack Attack
[May 31, 2001] The open-source organization reveals that its public
Web server was cracked by an unknown assailant two weeks ago.
Here
20 June 2001 Money Bugs Send Credit Card Data to Thieves
Small devices can be planted inside retail terminals where they skim
credit card information and automatically send it to labs where people
make phony credit cards.
Here
Note: This is a fundamental vulnerability that results from the
ability to insert an untrusted device. Visa and MC may protest all
they like, but the cost of such devices has fallen to the tens of
dollars, and any merchant and most of their employees can insert one.
The answer is smart cards, and Visa and MC both know it. We can only
hope that they will start to use them before permanent damage is done
to public trust and confidence. Time is critical and it is not
obvious that they have enough.
A new malicious program - dubbed 'Leaves'
- infects previously compromised PCs and seemingly prepares the machines to launch a DoS attack
A government Internet watchdog warned companies this past weekend of a new malicious program
that spreads to previously compromised PCs and seemingly prepares the infected machines to
launch a denial-of-service attack, sources said Monday.
Here
Putting Security in the Palm of Your Hand
Hitachi and Sanyo team up to develop a secure memory card that holds encrypted data for Palm PDAs.
Your Palm PDA may soon have an added level of security. Hitachi and Sanyo Electric have
developed a Secure Multimedia Card, a memory card that has a security function for
stored data, designed for use with Palm handhelds.
Here
Crypto flaw allows e-mail shenanigans
Common encryption standards that allow users to digitally sign their e-mail have a well-known flaw that could allow the message to be surreptitiously forwarded to another person, a researcher plans to announce Thursday at a technical conference.
Here
Security pros: We must track the hacks
Two security incidents last week have polarized the parties debating the thorny issue of
reporting vulnerabilities and exploits, but help may be on the way in the form of an industry group with established protocols.
Here
Net espionage stirs Cold-War tensions
WASHINGTON -- Fears of Cold War tensions are finding new life in cyberspace, as the threat of Internet espionage shifts the nuclear-age doctrine of "mutually assured destruction" to that of mutually assured disruption.
In one long-running operation, the subject of a U.S. spy investigation dubbed "Storm Cloud,"
hackers traced back to Russia were found to have been quietly downloading millions of pages of sensitive data, including one colonel's entire e-mail inbox. During three years, most recently in April, government computer operators have watched--often helplessly--as reams of electronic documents flowed from Defense Department computers, among others.
Here
Hackers delay censorship-busting software
A GROUP OF hackers has delayed introducing its planned Web software that is
meant to allow users to evade government censorship of the Internet. The
delayed project, code-named "Peekabooty," was originally scheduled for launch
next month at the hackers' convention Def Con, the group Cult of the Dead Cow
(CDC) said in an e-mail message to journalists.
Here
Sign on the digital line
The E-Sign Act goes into effect, legitimizing electronic signatures in the eyes of the law.
"Getting it in writing" is no longer the only option. On Sunday, June 10, when Congress's E-Sign Act became law, electronic signatures began carrying as much legal weight as a pen-and-paper John Hancock, giving companies the confidence to arrange their business
contracts over the Internet. The law will have little immediate impact on business practices, but it's a necessary step in the evolution of e-commerce.
Here
Hacker wages war on the waves
As the US Navy announces a $4.1bn attempt to secure the Navy Marine Corps Intranet (NMCI), hackers have issued a warning that Navy websites are next on the list of targets.
The five-year project to secure the NMCI, which consists of 350,000 desktops and 200 networks, dispersed around the world, focuses on controlling virus outbreaks and killing malicious code.
Here
SSH hits the fan for Cisco on security
Cisco products, including its PIX firewall, are subject to multiple vulnerabilities in Secure Shell (SSH) despite the fact problems with the protocol have been known about for almost a year.
Here
19 & 20 June 2001 Social Worker Recommends Jail Time For Canadian Teen
A court-appointed social worker said that the Canadian teenager
responsible for major denial-of-service attacks in February 2000
should spend at least five months in detention. The boy has shown no
remorse for his actions, needs more discipline, and is likely to
commit more cyber crimes, according to the social worker.
Canoe.ca and
Wired
22 June 2001 Consumers' Association Chastised for Security Problem
The Consumers' Association (CA) exposed customer credit card
information on its TaxCalc web site. CA has arranged for an
independent assessment of the web site, which will remain down until
the security problem has been addressed. Experts have been vocally
critical of the blunder.
BBC
22 June 2001 An Important Application for Encryption
While credit card numbers may also be exposed in the network, attacks
against the merchant's server are usually more efficient. Such
attacks yield more value for successful attacks as compared to the
cost of such attacks. Merchants store credit card numbers because it
makes subsequent purchases easier for the consumer. Where merchants
elect to save credit card numbers they should do so on a back-end
database server. If credit card numbers are stored on the front-end
server, they should be encrypted.
Wired
21 June 2001 Cracker Penetrates Credit Card Database
A cracker accessed the credit card database of Anacom Communications
Inc., an independent subsidiary of ZixIt Corp. The FBI is
investigating.
ComputerWorld
21 June 2001 Phone Phreaking Bill Dispute
Crackers took advantage of a Georgia realty firm's 800 number to make
nearly $90,000 in overseas calls; as no culprits have been caught, the
small company disagrees with AT&T; about who should foot the bill.
Businesses can protect themselves from such attacks by using arcane
passwords, changing them habitually, keeping passwords secret, and
blocking international phone service if it is never used.
AccessAtlantic
20 June 2001 Instant Messaging Archiving Privacy Issues
Some instant messaging programs incorporate archiving features which
do not require the consent of both participants; most programs also
allow users to save their real-time on line conversations as text files.
Cnet
20 June 2001 Financial Institutions, Consumers Urged to Pay Attention to Security
The Financial Services Authority (FSA) urged on line financial
institutions not to forget security while they ready new products.
The UK watchdog group also cautioned consumers to be attentive to
security matters while doing business on line; consumers should use
obscure passwords, change them often, and check for encryption when
sending data, suggests an FSA team manager.
BBC
18 June 2001 Elements of a Good Security Awareness Program
A good security awareness program will address social engineering,
passwords, insider threats, and cyber ethics.
Here
18 June 2001 ComputerHQ.com Exposed Customer Data
A programmer who found a JavaScript flaw on the Computer HQ.com web
site that divulged credit card information and other personal data
about customers tried and tried again to get the company to fix the
problem. While some of the customers contacted by the programmer were
shocked at the lax security, others were angry that the programmer had
pried into their private details.
Wired
Note: The same thing happened to me over the Christmas Holidays last year,
I found several open systems on a localnet connected to the internet that were
totally accessable. You couldn't write to them but you could copy everything off
them including there customer database and accounting program with all their
customer data, invoices, acct/banking info, payroll, etc.. After spending $20
on long distance calls to contact the system owner all I got was blasted for
snooping on his computer.. So much for trying to be helpful!
9 - 14 June 2001 Cal-ISO Servers Compromised
Crackers recently infiltrated two servers that were part of a
development network at the California Independent System Operator
(ISO) - - an integral part of the power grid - raising concerns that
foreign governments or terrorist groups are probing the US's critical
infrastructure networks. Security specialists say they cannot tell
who was responsible for the attacks, and that many security measures,
including firewalls, tripwires, and logs, were not in place.
LA Times and
ComputerWorld
and
Cnet
Note: Why are systems intended for the development of such a sensitive application connected to the public network at all, much less without routine security measures.
15 June 2001 Wireless Keyboard Security
Daten-Treuhand, a German security concern, has posted a warning on
Bugtraq that crackers can sniff passwords from wireless keyboards from
up to 30 meters.
The Register and
Here
15 June 2001 New Malicious Hacking Tools
Security consultants say there are two new hacking tools available on
the Internet: GodMessage and Choke. GodMessage lets crackers put
ActiveX code on web pages which would make browsers download a
compressed program. Users with current antivirus software should be
protected. The Choke worm circumvents security controls using MSN
Messenger.
ZDnet
11 & 13 June 2001 MacSimpson Worm (For our Apple/MAC Friends)
A mass mailing worm that targets Macintosh computers arrives as an
attachment purporting to be secret episodes of The Simpsons. The
attachment is actually an AppleScript that sends copies of itself to
everyone in the Outlook Express or Entourage address book(s) of
infected machines. Finally, the worm moved the contents of the sent
mail folder to the deleted items folder and opens Internet Explorer
to a Simpsons archive. The worm affects Macintosh Systems 9.0 and
higher, and Outlook Express 5.02 and higher. The Computerworld
article offers advice for removing the worm from infected systems.
Cnet and
ZDnet and
ComputerWorld
6 & 7 June 2001 Watermark Cracking Researchers Ask Court to Let Them Present Work
In April, a team of researchers bowed to pressure from the Secure
Digital Music initiative (SDMI) and the Recording Industry Association
of America (RIAA) and declined to present a paper that describes how
they cracked digital watermarking schemes. Last week, that same group
of researchers filed a federal lawsuit asking that they be allowed to
present their paper at a technical conference this summer.
Wired and
ZDnet
5 & 6 June 2001 Miss World Worm
The Miss World worm carries a malicious payload that tries to
overwrite necessary files and format hard disk drives. The worm is
launched by opening infected e-mail attachments, and spreads via
Outlook.
The Register and
ZDnet
31 May 2001 SULFNBK.EXE Worm Hoax
A hoax e-mail may have convinced many people to delete SULFNBK.EXE, a
Windows utility, from their hard drives. While the e-mail may have
begun with good intentions - there have been reports of e-mails
containing copies of the file infected with W32.Magistr.24876@mm - the
hoax e-mail uses social engineering to get people to do the work of a
malicious worm. A Symantec site offers information about the hoax
e-mail and instructions for restoring the deleted file.
ZDnet and
Symantec AV
1 June 2001 Hotmail and Yahoo E-mail Vulnerability
A vulnerability in Hotmail and Yahoo e-mail programs allows a
deliberately composed e-mail containing an HTML link to behave like a
worm and flood Internet mail servers. Microsoft had the flaw fixed by
Friday afternoon, and Yahoo was working on a fix.
Cnet
31 May 2001 New Worm Variant Makes Use of Social Engineering Tactics
The Chernobyl worm, which carries a malicious payload capable of
overwriting a computer's BIOS information, is making the rounds this
time in the guise of an attachment purporting to be pictures of
Jennifer Lopez.
Cnet and
Note: "Social engineering" is a term hackers use to put a pleasant face on fraud and deceit.. Personally, I prefer the definition 'user created error'. That's when the user
upon receiving an email warning about a virus or suspected spyware follows the instructions
without varifing the content and "deletes" key Windows or Program Files..
30 May 2001 Hackers Pilfer SETI@home Volunteers' E-Mail Addresses
Some hackers figured out the method SETI@home uses to exchange work
units with volunteers in its distributed computing effort, and took
advantage of the knowledge to mine up to 50,000 e-mail addresses which
were then used in a spam attack. SETI@home's project director said
the server software has been revised.
MSNBC
Note: The article says this hack exposes the pitfalls of distributed
computing. More precisely, it exposes the pitfalls of distributed
computing with weak authentication.
29 May 2001 Hacker Helps Excite@Home With Security
Excite@Home has praised a hacker who came to the company with
information about a server vulnerability that could have exposed
customer support data. After meeting with the man, Excite@Home
bolstered its network security by installing firewalls, implementing a
variety of security hardware and programs, and restricting network
access.
Cnet
Note: @Home is a major contributor to the security problem, because of its lax security. Just look at the GRC story Security Expert's Site Knocked Offline By Attack..
NOTE: The fact that the ISP's Won't or Can't secure/administer their systems/users
has lead me to believe that the only recourse is to take legal actions that will force the DOMAIN REGISTERS to "SUSPEND" the DNS numbers of these ISP's for at least 48hrs when more than 500 complaints have been filed.. Then let's see how fast they'll deal with the
problem, when their financial interest is at stack!
29 May 2001 Echelon's Reach Exceeds its Grasp, Says EU Committee
A draft report from a European Parliament investigative committee
concludes that Echelon, the global electronic eavesdropping network,
is not as capable as was previously believed, but the committee still
recommends that people use encryption software.
ComputerWorld and
Echelon Q&A;:
BBC
24 May 2001 Weather.com Hit By Denial of Service Attack
The Weather Channel's web site was hit by a denial-of-service attack
that limited user access and slowed site performance for about seven
hours. The director of site operations said that in defense, they
shifted to another dedicated router and installed filtering and
intrusion detection software. In addition, system administrators are
examining the company's server logs to see if the attack was a
diversion created to draw attention away from an intrusion.
InterNet Week
19 May 2001 Cracker Compromises Customer Credit Card Data
A security breach at A&B; Sound's web site exposed customer names and
credit card data. The site was shut down to allow for investigation.
A&B; Sound has sent e-mails to potentially affected customers advising
them to contact their credit card issuers.
Vancouver Sun and
Here
[SECURITY BULLETINS]
Win - Update {00.43.013}: MS00-077: NetMeeting desktop sharing DoS
Patch Available for "NetMeeting Desktop Sharing" Vulnerability
Microsoft has re-released MS00-077 ("NetMeeting desktop sharing DoS"),
which fixes a new variant of the original problem discussed in{00.43.013}.
FAQ and patch:
Here
Source: Microsoft
Here
{01.26.002} Win - MS01-034: Word Document Auto Macro Execution
Microsoft has released MS01-034 ("Malformed Word Document Could Enable
Macro to Run Automatically"). Particular malicious embedded macros in
Word documents may not be recognized by the security scanner allowing
them to execute regardless of security configurations.
FAQ and patch:
Here
Source: Microsoft
Here
MS01-028 � RTF document linked to template can run macros without warning
This bulletin discusses a vulnerability in several versions of
Microsoft Word. By design, if a user has configured Word to prompt
before running macros, Word should do so even when the macro is in a
document linked to the one that the user opened. However, if the macro
is in a template and the user opens an RTF document that links to the
template, no warnings are issued.
This affects several versions of Word and patches are available
as follows:
* Word 2000
Here
* Word 98 (J) for Windows
The patch is not yet available. Consult the bulletin for availability
* Word 97 Here
* Word 98 for the Mac The patch is not yet available. Consult the bulletin for availability
* Word 2001 for the Mac The patch is not yet available. Consult the bulletin for availability
The problem does not affect Word 2002 for Windows.
For more information see:
* Microsoft Security Bulletin MS01-028
Here
* Microsoft Knowledge Base (KB) article Q288266 �WD2000: No Macro
Warning When You Open RTF Document�
Here
* The CVE Information
Here
MS01-029 � Windows Media Player .ASX Processor Contains Unchecked buffer
This bulletin announces patches for two vulnerabilities in Windows
Media Player 6.4 and 7.0.
Pauli Ojanpera posted a message to BugTraq on May 2, 2001, announcing
a new buffer overflow in the Windows Media Player (WMP) versions 6.4
and 7.0. The buffer overflow occurs in the routines that parse .ASX
files. A similar vulnerability was announced and fixed in MS00-090
(see the November 2000 SANS WSD). The new vulnerability affects the
HREF attribute of the BANNER tag.
On May 6, 2001, another message was posted by BugTraq by ByteRage
detailing a denial of service in Media Player 6.4 by including a
malformed version field in a .ASX file. We have verified that version
7.1 appears to be immune against this exploit, and that it appears to
be a denial of service attack only on WMP 6.4.
Ojanpera also posted another buffer overflow in WMP on May 28. Even
the patched versions are vulnerable to that issue. See item 3.5.1 for
more details.
This issue has received CVE candidate number CAN-2001-0242.
The second vulnerability fixed in this bulletin is that WMP stores
Internet shortcuts in files with known names underneath the user�s
temporary Internet files folder. Since they have known names, and they
could contain HTML and script code, the potential exists that these
files could be executed by some hostile mechanism, in which case they
would execute in the context of the local computer. In that context
they could take more privileged action than would be possible if they
were executed from a web page on the Internet.
This issue has received CVE candidate number CAN-2001-0243.
The patch also includes functionality to prevent identification of
individual media player installations. A web site could assign a
unique identifier to a media player installation. A set of web sites
could then be used to correlate information about users using the
media player. A new option has been added to block this. To do so,
install the patch and then disable the option �Allow Internet sites to
uniquely identify your player.�
There is a patch available for WMP6.4. Users of WMP 7.0 may upgrade to
version 7.1 to block these vulnerabilities:
* Windows Media Player 6.4 patch Here
* Upgrade for Windows Media Player 7
Here
For more information see:
* Microsoft Security Bulletin MS01-029
Here
* Microsoft Knowledge Base (KB) article Q298598 �Patch Available for
Windows Media Player 6.4 and 7 Buffer Overrun Vulnerability�
Here
* Microsoft Knowledge Base (KB) article Q296138 �Patch Available for Windows Media
Player 6.4 and 7 Internet Shortcut Vulnerability�
Here
* Microsoft Knowledge Base (KB) article Q296139 �Patch Available for Windows Media
Player 6.4 and 7 Privacy Issue�
Here
* The CVE Information
Here
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0243
