💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › HNS › issue052.… captured on 2021-12-03 at 14:04:38.
-=-=-=-=-=-=-
HNS Newsletter Issue 52 - 26.02.2001 http://net-security.org http://security-db.com This is a newsletter delivered to you by Help Net Security. It covers weekly roundups of security events that were in the news the past week. Visit Help Net Security for the latest security news - http://www.net-security.org. Subscribe to this weekly digest on: http://www.net-security.org/text/newsletter Archive of the newsletter in TXT and PDF format is available here: http://www.net-security.org/news/archive/newsletter Table of contents: 1) General security news 2) Security issues 3) Security world 4) Featured books 5) Security software 6) Defaced archives General security news --------------------- ---------------------------------------------------------------------------- THE TERRORISM ACT 2000 The Terrorism Act 2000 is designed to prevent dissident political groups from using the United Kingdom as a base for terrorism and recognises a new threat from cyberterrorists for the first time. But the Act also significantly widens the definition of terrorism to include those actions that "seriously interfere with or seriously disrupt an electronic system". Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdnet.co.uk/news/2001/7/ns-21060.html BIOMETRICS: THE TIGHTROPE At first look, biometrics is a mighty fortress. Or, does that initial impression overlook some subtle problems with the technology? If the prime directive of all security practice dictates that no security system is perfect, then biometrics definitely has shortcomings. To understand those problems, explaining two concepts becomes essential. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://securityportal.com/articles/biometrics20010220.html THE SM0KED CREW FAQ "With all the recent media attention that the "sm0ked crew", an online group of web defacers, has been getting it was time to ask a couple of important questions. We've never done an interview of defacers before, but my curiousity gets the best of me quite often." Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.cipherwar.com/news/01/sm0ked_crew.htm EASY INTERNET SHARING NHF: VERSION 1.0 "This is a tutorial on sharing your Internet connection by configuring a Linux machine as your gateway/firewall. I've made this tutorial as easy as possible so that the average newbie can have a running and secure mini-home network. I'm sure you've probably been told that setting up firewall rules and IP masquerading can be difficult. Not so, as you will find out. In fact, we won't even be learning a single firewall rule." Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://linuxnewbie.org/nhf/intel/network/eznetshare.html PGP CREATOR ZIMMERMAN JOINS HUSH One of the founding fathers of modern cryptography, Phil Zimmermann - who created PGP and thus introduced a generation of computer users to email encryption - has left the security firm Network Associates to join Irish-based encryption startup Hushmail. Zimmermann was at the forefront of the battle to give ordinary Internet users access to email encryption in the 1990s. When he released the first version of PGP in 1991, Zimmermann faced a three-year FBI investigation. Encryption was still viewed as a threat to the US government's intelligence operations and classified military munitions. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdnet.co.uk/news/2001/7/ns-21079.html THE STATE OF MUSIC SECURITY Recently, the digital rights management crowd got a sharp lesson from the entertainment industry. No more proprietary systems and hard-to-use digital rights management systems that consumers can't understand. Instead, they want clearinghouses where their content can be safely stored and streamed to end users who don't have to decipher which media player will work. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.wired.com/news/business/0,1367,41874,00.html THEY REVEAL HIDDEN MESSAGES U.S. government agencies, including the NSA and the Pentagon, are quietly funding research into steganalysis: the study of detecting hidden messages inserted into MP3 or JPEG files. What have they found? Current steganography programs don't work that well at all. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.wired.com/news/politics/0,1283,41861,00.html CONFIGURING A QUICK-AND-DIRTY ROUTER AND PROXY Setting up an unsecured router and proxy using IP Masquerading; plus, contrary to popular belief, Linux can play nice with PCI modems. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://linuxworld.com/linuxworld/lw-2001-02/lw-02-geek_2.html ZIXMAIL SECURE DOCUMENT DELIVERY ZixMail is a secure document delivery, private email and message tracking service that enables you to easily send encrypted and digitally signed communications to any email address in the world. This means that only your intended email recipients will be able to open messages that you have sent. Link: http://www.security-db.com/product.php?id=324&cid=65 NSA CHIEF SAYS BIN LADEN HAS SUPERIOR TECHNOLOGY Islamic terrorist Osama bin Laden has superior technology at his disposal than the National Security Agency, the head of the super-secretive spy agency has told an American documentary programme. Superior technological capabilities helped bin Laden to mastermind the simultaneous 1998 bombings of US embassies in Kenya and Tanzania that killed 224 people, said General Mike Hayden, head of the NSA, during an interview to be broadcast tonight on CBS' 60 Minutes II news show. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.theregister.co.uk/content/8/17072.html PANIC OVER VULNERABILITIES The recent discovery of vulnerabilities in BIND quickly escalated from a reasonable security concern to widespread panic. In this week's Unix Security, Dev Zaborav looks at the increasing sensationalism that surrounds Internet security and worries that too many cries of emergency will leave administrators distrustful when critical situations actually arise. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.sunworld.com/unixinsideronline/swol-02-2001/swol-0216-unixsecurity-dv.html NET ANONYMITY FIRMS SEEK THEIR MARKET As an Internet user and online shopper, you may have more in common with your friendly neighborhood spook at the CIA than you think - both you and the agents who look out for your national security are concerned about remaining anonymous online. Unlike the CIA, you probably won't have to pay for it in the next few years - as long as the companies offering these tools can stay in business... Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.computeruser.com/news/01/02/20/news15.html IS YOUR WEB SERVER RUNNING UNNECESSARY SOFTWARE? This article quickly shares some ideas on how beginning webserver administrators can improve server efficiency, ease management and, hopefully, improve security as well. It gives a few examples of processes that don't need to be running, required programs and some ideas for BSD and System V-type systems for disabling startup scripts. This article doesn't go into great detail, but will give the newbie administrator some basic ideas. Link: http://apachetoday.com/news_story.php3?ltsn=2001-02-20-003-06-PS-LF-AD FBI AGENT SOLD SURVEILLANCE/NUKE DATA TO RUSSIA FBI Special Agent Robert Philip Hanssen, aged 56, was placing a packet of classified information at a dead drop site near his residence in suburban Virginia Sunday night when the Feds collared him, much to his surprise. Hanssen gave his Russian handlers over 6,000 pages of secret and top secret documents, according to a detailed, 103-page FBI affidavit in support of a request for search and arrest warrants. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.theregister.co.uk/content/8/17078.html VENDOR KEY MANAGEMENT Times sure do change. I remember when Linux was new, a "hacker's" OS. We had to walk 10 miles, uphill, to get install floppies for it. (Actually I was lucky, I only had to copy them my friend downloaded the Slackware images over a 9600 modem.) Back then security wasn't much of an issue for most Linux users. We used telnet, and we liked it. Software updates either consisted of downloading the source and compiling it, or using extremely simple package management such as Slackware provides (although calling tarballs package management does seem kind). GnuPG didn't exist, and PGP was still only used by a minority (an even smaller minority than today, if you can believe that). Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://securityportal.com/closet/closet20010221.html BIOMETRIC SECURITY FOR E-BUSINESS Computer Associates International and DataTreasury Corp. said they have formed an alliance to provide biometric security � which uses identifying traits like fingerprints, iris scans and voice patterns � to protect e-business transactions. The two companies said they hope to market the system to businesses that manage information worldwide, including healthcare organizations that hold sensitive data about patients. Computer Associates describes itself as an e-business management company, while DataTreasury said it is a data broker that operates a biometrics information clearinghouse. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.newsbytes.com/news/01/162257.html EARTHLINK SLOW TO ADMIT ATTACK Crackers broke into Internet service provider Earthlink's network last week, but the company kept it quiet because it claims customer data was not compromised. A company spokesman said that it did not alert subscribers because the main security system remained intact, but a Wired News tipster said the crackers created a potentially dangerous backdoor to the system. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.wired.com/news/business/0,1367,41934,00.html SECURING YOUR SOLARIS SERVER Systems administrators are often too busy with their day-to-day work to concern themselves with system security. That means servers may end up without the latest security patches or fixes, offering easy ways for attackers to gain entry into their systems. In this Unix Insider feature, Jamie Wilson helps you secure your Solaris server by demonstrating how to disable inetd, secure su, find and secure setuid and setgid files, and install and configure ipfilter. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.sunworld.com/unixinsideronline/swol-02-2001/swol-0216-hardening.html STUDYING FTP TRAFFIC This is the second article in a three-part series devoted to studying normal traffic. Many intrusion detection analysts concentrate on identifying the characteristics of suspicious packets. However, it is also important to be familiar with what normal traffic looks like. A great way to do this is to generate some normal traffic, capture the packets and examine them. The first article in this series explained how to capture packets using WinDump and reviewed some simple examples of normal TCP/IP traffic. In this article, we will be examining FTP traffic, which, from a traffic flow standpoint, is more complicated than many other protocols. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.securityfocus.com/focus/ids/articles/normaltraf2.html PRACTICE SAFE INTERNET SHOPPING If there is one thing to blame for the slow adoption of Internet commerce, it's the age-old credit card. Many consumers are simply afraid to use it online. And they have reason. A report released Monday by the European Commission revealed that credit card fraud ballooned last year by approximately 50 percent in Europe amid an increase in Internet commerce transactions. The study follows repeated news reports of attacked credit card databases and failed security at a number of high-profile Internet sites. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.upside.com/Ebiz/3a9454365.html NET FILTERING LAW DRAWS FINAL COMMENTS Regulators accepted final public comments on a new law requiring libraries and schools that accept federal funds to install computer filters aimed at blocking access to adult material online. Librarians and educators criticized the law, saying it may be impossible to enforce. But conservative groups praised the plan, saying it will save children from finding pornography on the Internet. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2689132,00.html ELIMINATING IP ADDRESS FORGERY "It seems that eliminating IP address forgery is now all the rage because it is now affecting enough people who are important enough to get the whole Internet to take action. And it is indeed gratifying to see this - despite the frustration I suffer over the lack of citation to my original paper on the subject and my firewalls course that has covered this subject in detail for the last five years." Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.all.net/journal/netsec/0005.html NETMAX FIREWALL WORTH THE FICKLE INSTALLATION NetMAX FireWall from Cybernet Systems is a smooth-running, easily configurable firewall, if you can get past its annoying setup and installation. I'd like to mention some useful-looking features that I was unable to test. NetMAX FireWall includes a traffic monitor that logs and graphically displays all traffic over the network. That kind of monitoring could be very useful -- not only for ISPs, but in almost any corporate setting. If the quarterly report is due in an hour, but bandwidth seems a little slow, pop up the bandwidth report and find out that Johnny is on Napster again. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.linuxworld.com/linuxworld/lw-2001-02/lw-02-netmax.html DECSS UPDATE In a filing submitted to the 2nd U.S. Circuit Court of Appeals in New York, the Justice Department lashed out at hackers and praised a lower court ruling that bans hacker magazine 2600 from publishing a code known as DeCSS. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.zdnet.com/zdnn/stories/news/0,4586,2689144,00.html ENGINEER PLEADS SELF DEFENCE IN HACKING CASE The Criminal Investigation Bureau referred to prosecutors a computer engineer who allegedly hacked into a computer server in what he called "self-defense." The Hsinchu computer engineer, surnamed Fan (S), said he thought that the other side attacked his computer first, while the truth was that the other side was an innocent party which had been attacked by a Trojan horse. A man last year reported to the police that a Web site which teaches magic and is run by him, had been hacked. He said some Web pages had been altered and some registered users' access to the Web site blocked. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.taipeitimes.com/news/2001/02/21/story/0000074560 TIME TO UN-BIND YOUR NETWORK! This post by D. J. Bernstein, author of djbdns, a "secure" DNS server, wrote this message prompted by the recent problems experienced with BIND 9 and its "300000 lines of bad code." "BIND 9 is good code, you say? The BIND programmers learned their lesson from these security disasters and rewrote everything from scratch?" Professor Bernstein's opinion differs... Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.linuxsecurity.com/articles/server_security_article-2566.html WEF HACKER ARRESTED Swiss police arrested a man today on suspicion of hacking into the computer systems of the World Economic Forum and stealing private information about participants. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://abcnews.go.com/sections/scitech/DailyNews/hacker010223.html STORY OF MICROSOFT 'HACK' A top Microsoft executive revealed how a hacker was able to view some of the company's top-secret source code last October. The attacker gained broad access because an employee forgot to create a password when configuring a server, leaving the password blank. Link: http://seattletimes.nwsource.com/cgi-bin/WebObjects/SeattleTimes.woa/wa/gotoArticle?zsection_id=268448455&text_only=0&slug=hack23&document_id=134269414 FIGHTING CHILD PORN Tony Blair and George Bush are to lead a global crusade against the internet perverts who peddle child porn. The Prime Minister and the President sealed the deal during late night talks at Camp David at the end of their two-day summit. Mr Blair's government will immediately reinforce the deal with new tough laws on Internet paedophiles, to be announced in the House of Commons on Monday. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.newsoftheworld.co.uk/news/4165837 INSURANCE AGAINST CYBER ATTACKS An internet user or ISP in India, so far, has no option if threatened by an attacker except to lodge a police complaint and change the profile of the internet service. Soon, Net users and ISPs can have insurance cover against cyber attacks. For the first time in India, insurance is being offered against all kinds of cyber crime, including loss of airtime, to the extent of $25 million. The insurance package, which was introduced in the US, UK and Japan last year, will be brought to India by Tata-AIG, a joint venture by the Tatas and American Insurance Group Incorporate. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://www.indian-express.com/ie/daily/20010226/ina26039.html SURFINGATE AGAINST MALICIOUS WEB CONTENT SurfinGate provides proactive gateway security for malicious Web content including ActiveX, Java, Visual Basic Script and JavaScript. Using a sophisticated real-time content-inspection process, SurfinGate identifies and blocks malicious code without relying on database updates. Centrally managed, SurfinGate allows companies to tailor policies for departments and users and enables secure e-business. Link: http://www.security-db.com/product.php?id=606&cid=132 IDS REVIEW: INTRODUCTION IDSes as we know them today are a relatively new phenomenon in the computer security field, but they have been improving rapidly and quickly becoming more complex, making them difficult for non-specialists in security to understand, and similarly difficult to judge when you are entertaining the thought of purchasing one. This article is intended to help you understand what these boxes are and give you some hopefully :-) informed opinions about the leading products on the market and what applications make sense for each. Link: http://www.net-security.org/cgi-bin/news.cgi?url=http://securityportal.com/articles/idsintroduction20010226.html ---------------------------------------------------------------------------- Security issues --------------- All vulnerabilities are located at: http://net-security.org/text/bugs ---------------------------------------------------------------------------- RED HAT LINUX - NEW VIXIE-CRON PACKAGES New vixie-cron packages are available that fix a buffer overflow in the 'crontab' command; this could allow certain users to gain elevated privileges. Link: http://www.net-security.org/text/bugs/982685081,35659,.shtml IMMUNIX OS - VIXIE-CRON UPDATE Immunix has tested the versions of the vixie-cron packages that are shipped with Immunix OS 6.2, 7.0-beta, and 7.0 and they are not vulnerable to the buffer overflow (due to the use of the StackGuard compiler). However, we are making updated packages available for those users who want to upgrade. Link: http://www.net-security.org/text/bugs/982754741,49344,.shtml SECURITY FLAW IN TELOCITY'S "GATEWAY MODEM" Telocity provides DSL to their customers through what they call the Telocity "Gateway Modem". In the modems, you can connect to them through your web browser to view usage statistics, your assigned IP, the DHCP server IP (Modems IP), Management's IP (Modem's IP, different than the previous), DNS IP, and the hardware software version information. In the older model modem, it is possible to remotely view the "Details" section of the modem, thus reveling all the above mentioned information to a possible intruder. Telocity has numbered their gateways in sequential order, so it would be possible to write a script that would search for http://123.123.123.1/stats in a range of addresses. Link: http://www.net-security.org/text/bugs/982781361,33018,.shtml LINUX MANDRAKE - VIXIE-CRON UPDATE A buffer overflow exists in the 'crontab' command if it was called by a user with a username longer than 20 characters. If the system administrator has created usernames of that length, it would be possible for those users to gain elevated privileges. Link: http://www.net-security.org/text/bugs/982858260,74013,.shtml NT DRIVERS AND FORMAT STRING BUG Many NT drivers are potentially vulnerable to "format string bug". The problem is concerned with DbgPrint function that is used for debug messages. Some drivers instead of directly call of this function use additional intermediate functions. Those functions add a prefix to an outputted string, resolve a string format and pass the final string to DbgPrint. Note the DbgPrint also additionally resolves format specifications. Link: http://www.net-security.org/text/bugs/982858351,64712,.shtml WIN2K DIRECTORY SERVICES WEAKNESS "We came across one security issue; which may be critical for large organizations planning to deploy Windows 2000 and Active Directory in one forest. Imagine that there is a forest with more than one domain. (Tree hierarchy does not matter in this situation.) Every domain has its own set of administrators. In Active directory there is one Configuration Container for the whole forest. So every domain controller has its own copy of Configuration Container and is able to change it and replicate changes to other domain controllers. The only obstruction for changing configuration are ACLs. But ACLs are checked on local system and if you somehow modify it to avoid this checking, you can modify this Container." Link: http://www.net-security.org/text/bugs/982858422,97626,.shtml TURBOLINUX - BIND UPDATE Two vulnerabilities have been discovered in ISC BIND 8. Please update the packages in your installation as soon as possible. Link: http://www.net-security.org/text/bugs/982910525,58182,.shtml LINUX MANDRAKE - CUPS UPDATE A number of problems were found by the SuSE security team recently during an internal audit of the CUPS printing package. These problems have been resolved with the latest CUPS release which include temp file creation vulnerabilities, potential buffer overflows, and other security enhancements. It is highly recommended that all Linux-Mandrake users upgrade to this new version of CUPS. Link: http://www.net-security.org/text/bugs/982910560,1837,.shtml SEDUM V2.1 HTTPD - DENIAL OF SERVICE SEDUM v2.1 is vulnerable to a nasty Denial of Service attack where it can be flooded with useless junk until the server crashes promptly. Once it has been crashed it needs to be restarted again for it to work properly. All windows versions apear to be affected. Link: http://www.net-security.org/text/bugs/983031499,96065,.shtml MERCUR MAILSERVER 3.3 BUFFER OVERFLOW By default SMTP server is installed to be run from LocalSystem account. This makes it easy to make any action on the target system if an attacker could gain control over the code execution flow of the product. Link: http://www.net-security.org/text/bugs/983031584,54993,.shtml ---------------------------------------------------------------------------- Security world -------------- All press releases are located at: http://net-security.org/text/press ---------------------------------------------------------------------------- ITALIAN PETROLEUM GIANT CHOSES SECURE COMPUTING - [21.02.2001] Secure Computing announced that its SafeWord Plus authentication and authorization solution will be used by the Italian petroleum company, AgipPetroli Spa, to add strong security to all of its present and future intranet applications. AgipPetroli, an ENI Group company, operates in the oil, natural gas, petrochemicals, oilfield services and engineering industries, and is one of the largest natural gas companies in the world with operations in many countries. Press release: < http://www.net-security.org/text/press/982725334,11543,.shtml > ---------------------------------------------------------------------------- BALTIMORE TECHNOLOGIES CHOSEN BY EORIGINAL - [21.02.2001] Baltimore Technologies, a global leader in e-security, announced it has been chosen by eOriginal, the leading provider of Electronic Negotiable Instrument Software Solutions, to be included in the development of a trusted security infrastructure for the real estate financing, equipment and vehicle leasing, and the trade and transportation industries. Baltimore's award winning technology will enable eOriginal to deliver a secure and trusted environment for eOriginal's business partners to execute critical transactions, and trade or transfer legally enforceable electronic negotiable instruments and securities such as electronic mortgages, leases, bills of lading, letters of credit, regulatory filings and stock certificates. Press release: < http://www.net-security.org/text/press/982755394,25511,.shtml > ---------------------------------------------------------------------------- ZERO-KNOWLEDGE SYSTEMS INTRODUCES PRIVACY EYE - [21.02.2001] Study after study indicates that consumers value their privacy, but they are often unaware of personal privacy intrusions and unsure of how to protect themselves. To empower individuals with valuable privacy information, Zero-Knowledge Systems today introduced Privacy Eye, a digital source of privacy news and commentary edited by author, journalist and privacy expert Tom Maddox. Whether they are average citizens with questions and concerns or informed privacy advocates, readers of Privacy Eye will find valuable privacy resources from the Web site (http://privacy.zeroknowledge.com/privacyeye/), including: