|
Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security In The News - February 13, 2004
- From: Howell, Paul
- Date: Fri Feb 13 16:20:39 2004
Security In The News
LAST UPDATED: 2/13/04
This report is
also available on the Internet at http://news.ists.dartmouth.edu/todaysnews.html
,
Homeland Security & Infrastructure Protection
Energy Department IG urges tighter
security at labs
- Government
Computer News, 2/11/04
Lawmakers want full assessment of
terrorism risks
- Government
Executive, 2/12/04
- Also - Federal
Computer Week, 2/12/04
Security chief urges partnering
- Federal
Computer Week, 2/11/04
- Also - PC World,
2/11/04
- Also - Federal
Computer Week, 2/12/04
China to complete national network and
information security system in 5 years
- People's
Daily, 2/13/04
Cybercrime-Hacking
FTC, international coalition crack down
on misleading Web sites
- Computerworld,
2/12/04
- Also - Yahoo
News (AP), 2/12/04
FTC Issues Warning About Fake Anti-Spam
Site
- Washtech
(Reuters), 2/12/04
PlayStation spammers settle charges
- C-Net (Reuters),
2/12/04
3 Expected to Face Charges of Illegally
Copying Movie Prints
- Los
Angeles Times, 2/12/04
Attacks puzzle open-source community
- ZDNet
News, 2/13/04
Guilty plea in international $10 million
cable piracy scheme
- Siliconvalley
(AP), 2/12/04
FBI on trail of e-mail fraud
- The
Baltimore Sun, 2/13/04
'Hackah Jak' trial could reveal FBI
ties
- Cincinnati
Enquirer, 2/12/04
West Linn teen faces charges in computer
hacking case
- Katu.com,
2/10/04
Hackers cripple Internet classes
- St.
Petersburg Times, 2/11/04
Cliff Stanford charged with hacking
Redbus
- The
Register, 2/13/04
State agency warns of security
breach
- C-Net News,
2/13/04
Politics-Legislation
Congress and Cybersecurity
- Washington
Post, 2/12/04
Lack of cybercrime laws stifle
enforcement agencies
- Inq7.net,
2/12/04
Malware
MyDoom dies today
- The
Register, 2/12/04
- Also - Government
Computer News, 2/11/04
- Also - Security
Pipeline, 2/11/04
- Also - Silicon.com,
2/13/04
- Also - Webuser,
2/13/04
- Also - EWeek.com,
2/11/04
Nachi variant sends a political
message
- C-Net News,
2/12/04
DJ's dance record inspires virus writer,
Sophos comments
- sophos virus
info, 2/12/04
Internet travelers should beware of
Ibiza
- SearchSecurity,
2/13/04
Technology
Cisco develops WLAN security protocol to
defeat password attacks
- Computerworld,
2/12/04
- Also - Techworld,
2/13/04
IBM, Cisco jointly seek better
security
- SiliconValley.com,
2/13/04
- Also - C-Net
(Reuters), 2/12/04
- Also - Info
World, 2/13/04
- Also - Information
Week, 2/13/04
Vulnerabilities & Exploits
Stolen Windows code not critical
weakness
- vnunet.com, 2/13/04
- Also - C-Net
News, 2/12/04
- Also - Washington
Post, 2/13/04
- Also - BBC,
2/13/04
- Also - Network World
Fusion, 2/12/04
Security Firm Says Several More
Microsoft Vulnerabilities Await Fixes
- Techweb,
2/11/04
Red Hat releases Mailman fix
- Search
Security, 2/11/04
Ticketer lashed for security hole
- Australian
IT, 2/12/04
Civil & Consumer Issues
New Anti-spam Initiative Gaining
Traction
- EWeek.com,
2/12/04
Homeland Security & Infrastructure Protection
- Title: Energy Department IG urges tighter
security at labs
- Source: Government Computer News
- Date Written: February 11, 2004
- Date Collected: February 13, 2004
- An audit report by the US Department of Energy's (DOE) Inspector General
(IG) Gregory H. Friedman found that the department's national laboratories
have flaws in their security controls relating to classified projects and
sensitive technology research. The report, 'Safeguards Over Sensitive
Technology', also warned that Sandia, Los Alamos and Oak Ridge National
Laboratories were applying department security policies and security
classification reviews inconsistently. IG Friedman recommended that the
laboratories tighten security procedures and clarify security policies.
Security has become a major concern for DOE following reports of several
security lapses in recent years.
- http://www.gcn.com/vol1_no1/daily-updates/24925-1.html
- Title: Lawmakers want full assessment of
terrorism risks
- Source: Government Executive
- Date Written: February 12, 2004
- Date Collected: February 13, 2004
- At a hearing of the House Homeland Security Committee on February 12,
2004, lawmakers called on the Department of Homeland Security (DHS) to
create a full risk assessment of potential terrorist threats so that more
concrete security goals can be established and resources can be targeted
more efficiently to meet the most pressing needs. Homeland Security
Secretary Tom Ridge expects such an assessment to be completed within the
next 60 to 90 days. Secretary Ridge also expressed his support for making
the temporary House Homeland Security Committee permanent and consolidating
congressional oversight of his department. Lawmakers also stressed the need
for adequate and timely funding for the nation's first responders.
- http://www.govexec.com/dailyfed/0204/021204tdpm1.htm
- Also - http://www.fcw.com/fcw/articles/2004/0209/web-ridge-02-12-04.asp
- Title: Security chief urges partnering
- Source: Federal Computer Week
- Date Written: February 11, 2004
- Date Collected: February 13, 2004
- Speaking at a breakfast meeting of the Information Technology
Association of America (ITAA) on February 11, 2004, Amit Yoran, director of
the National Cyber Security Division (NCSD) at the Department of Homeland
Security (DHS), said that the government would work diligently to improve
cooperation with the private sector for the purpose of protecting the US
information infrastructure against cyber attacks. He added that "notable"
progress has been made on creating the Cyber Warning and Information
Network, a survivable network for sharing critical information if the
Internet and other communications systems are taken out by an attack.
According to Mr. Yoran, the DHS will focus on various aspects of
cybersecurity, including raising security awareness and pursuing secure code
development, as part of a long-term strategy.
- http://www.fcw.com/fcw/articles/2004/0209/web-yoran-02-11-04.asp
- Also - http://www.pcworld.com/news/article/0,aid,114749,00.asp
- Also - http://www.fcw.com/fcw/articles/2004/0209/web-outreach-02-12-04.asp
- Title: China to complete national network and
information security system in 5 years
- Source: People's Daily
- Date Written: February 13, 2004
- Date Collected: February 13, 2004
- Speaking at a national workshop on handling Internet emergencies on
February 11, 2004, Lu Chengzhao, deputy director-general of the Office of
China National Network and Information Security Coordinating Group, said
that China is making progress in setting up a public Internet emergency
response system to manage network security problems and coordinate national
responses. He added that China's National Network and Information Security
System should be completed by 2009.
- http://fpeng.peopledaily.com.cn/200402/13/eng20040213_134785.shtml
Cybercrime-Hacking
- Title: FTC, international coalition crack down
on misleading Web sites
- Source: Computerworld
- Date Written: February 12, 2004
- Date Collected: February 13, 2004
- More than two dozen consumer protection agencies around the world,
including the US Federal Trade Commission (FTC), took part in a major
campaign, between February 10 and February 12, 2004, to track down
"too-good-to-be-true" scam websites. The crackdown, which is being
coordinated by the Australian Competition and Consumer Commission (ACCC),
aims to find sites that offer Internet users bogus get-rich-quick schemes,
work-at-home schemes and other scams that include hidden fees and charges,
which often cost victims thousands of dollars. The latest action is part of
an ongoing effort by members of the International Consumer Protection and
Enforcement Network (ICPEN), a network of consumer protection agencies from
31 countries. The findings of the campaign will be turned over to
authorities in each of the countries involved. They will then decide on
possible legal or law enforcement action.
- http://computerworld.com/securitytopics/security/story/0,10801,90162,00.html
- Also - http://story.news.yahoo.com/news?tmpl=story&cid=528&e=4&u=/ap/20040212/ap_on_hi_te/scam_web_sites
- Title: FTC Issues Warning About Fake Anti-Spam
Site
- Source: Washtech (Reuters)
- Date Written: February 12, 2004
- Date Collected: February 13, 2004
- On February 12, 2004, the US Federal Trade Commission (FTC) warned
consumers not to sign up for a service that claims to reduce spam because it
is a fraud. According to the FTC, people who submit their e-mail addresses
to the site (www.unsub.us) run the risk of receiving even more spam or
falling victim to identity theft. The website was designed to look similar
to the FTC site where consumers can sign-up for the national 'do not call'
registry. However, no 'do not spam' service currently exists, although the
idea is under review.
- http://www.washingtonpost.com/wp-dyn/articles/A37291-2004Feb12.html
- Title: PlayStation spammers settle
charges
- Source: C-Net (Reuters)
- Date Written: February 12, 2004
- Date Collected: February 13, 2004
- On February 11, 2004, BTV Industries and three individuals involved with
the company reached a settlement with the US Federal Trade Commission (FTC)
on deceptive business charges stemming from March 2002. According to the
FTC, BTV Industries sent out spam messages to Internet users saying they had
won a Sony PlayStation 2 in a contest; those who tried to claim the prize
were tricked into downloading modem-dialer software that connected them to a
pornographic website, where they were secretly charged $3.99 a minute. Under
the settlement, BTV Industries has returned $25,000 in gains from the scheme
and the individuals involved have promised not to engage in similar actions
in the future.
- http://news.com.com/2100-1030_3-5158084.html
- Title: 3 Expected to Face Charges of Illegally
Copying Movie Prints
- Source: Los Angeles Times
- Date Written: February 12, 2004
- Date Collected: February 13, 2004
- As part of a major crackdown against movie piracy by the Federal Bureau
of Investigations (FBI) and the US Attorney's Office, charges are thought to
be imminent against three employees of Lightning Dubbs, a Los Angeles-based
motion picture postproduction facility, for allegedly illegally copying the
movies 'The Passion of the Christ' and 'Kill Bill: Vol. 1', which later
turned up on the Internet. Action is finally expected following a lengthy
investigation by the FBI and the US Attorney's Office. In the last six
months, authorities have brought several copyright infringement cases to
trial in connection with movies prematurely released on the Internet.
- http://www.latimes.com/technology/la-me-piracy12feb12,1,616300.story
- Title: Attacks puzzle open-source
community
- Source: ZDNet News
- Date Written: February 13, 2004
- Date Collected: February 13, 2004
- Four Macromedia Flash developer community websites - actionscript.org,
actionscript.co.uk, flashgroup.co.uk and robertpenner.com - have suffered
cyber attacks in recent weeks that appear to have exploited a vulnerability
in a common open source mailing list application. At least one of the sites'
servers was compromised using a vulnerable PHP script in EMML (EternalMart
Mailing List Manager). The attacks all appear to have been relatively
harmless, usually involving website defacements, leading experts to believe
that they are hacker pranks. The Flash developer community is understandably
annoyed with the attackers, wondering why they chose to pick on volunteer
development sites.
- http://news.zdnet.co.uk/software/developer/0,39020387,39146184,00.htm
- Title: Guilty plea in international $10 million
cable piracy scheme
- Source: Siliconvalley (AP)
- Date Written: February 12, 2004
- Date Collected: February 13, 2004
- Carlo Mireles, 29, of Las Vegas pleaded guilty on February 12, 2004 to
two conspiracy counts, one count of mail fraud, and four counts of assisting
in the unlawful interception of cable communications for his part in an
"international cable piracy scheme". Mr. Mireles and his partner, 41-year
old Darryl Poll, are accused of making more than $10 million by selling
descramblers that allow users to illegally obtain free cable services. Mr.
Mireles will be sentenced on May 13, 2004 and could face up to 53 years in
prison and fines of $1.15 million. Mr. Poll has pleaded not guilty.
- http://www.siliconvalley.com/mld/siliconvalley/business/special_packages/security/7941509.htm
- Title: FBI on trail of e-mail fraud
- Source: The Baltimore Sun
- Date Written: February 13, 2004
- Date Collected: February 13, 2004
- US authorities, including the FBI's Internet crime center, are
increasingly investigating ever-more sophisticated online 'phishing' scams,
aimed at obtaining credit card and bank information from unsuspecting users.
Such scams, which have proliferated over the past year, now account for more
than half of the 15,000 monthly citizen complaints filed with the FBI's
online crime center. Furthermore, there are indications that such scams are
increasingly the work of organized crime groups, mainly from Russia and the
former Soviet Union, and terrorist sympathizers, according to FBI officials.
- http://www.baltimoresun.com/news/nationworld/bal-te.journal13feb13,0,4731528.column
- Title: 'Hackah Jak' trial could reveal FBI
ties
- Source: Cincinnati Enquirer
- Date Written: February 12, 2004
- Date Collected: February 13, 2004
- On February 11, 2004, Common Pleas Judge Thomas Crush refused to dismiss
charges against 23-year old hacker Jesse Tuttle, making it more likely that
the case will go to trial. Mr. Tuttle, who is also known as 'Hackah Jak', is
charged with storing child pornography on his computer and breaking into
Hamilton County's computer network. However, he claims that he was a paid
informant for the Federal Bureau of Investigations (FBI) and the actions
that led to his arrest were related to his work for the FBI. Court records
and other documents "indicate a link between the hacker and the agency," but
the FBI has, so far, not admitted or denied employing Mr. Tuttle.
- http://www.enquirer.com/editions/2004/02/12/loc_tuttle12.html
- Title: West Linn teen faces charges in computer
hacking case
- Source: Katu.com
- Date Written: February 10, 2004
- Date Collected: February 13, 2004
- An 18-year old West Linn High School student, Scott Metzger, was charged
last week by the Clackamas County district attorney's office for allegedly
hacking into his school's computer system and sending e-mails to
administrators claiming that he could destroy the system. Mr. Metzger was
arrested on November 14, 2003 and faces identity theft and computer crime
charges. Police do not believe his actions were malicious, and it is thought
that he did not tamper with sensitive information he gained access to.
- http://www.katu.com/news/story.asp?ID=64444
- Title: Hackers cripple Internet classes
- Source: St. Petersburg Times
- Date Written: February 11, 2004
- Date Collected: February 13, 2004
- A computer virus, probably MyDoom, or a cyber attack linked to the
virus, shut down the Internet infrastructure of St. Petersburg College on
February 5, 2004, preventing students from taking online tests or doing
homework. St. Petersburg College has Florida's largest electronic campus,
with 12,000 students taking classes and tests online. Systems were shut down
for at least four hours, causing significant disruptions. The FBI and the
Florida Department of Law Enforcement are investigating the incident. It is
unclear whether the problems were an incidental effect of the spread of the
virus or part of an intentional attack aimed at the school. St. Petersburg
College is part of the International Information Systems Security
Certifications Consortium, and is active in the field of cybersecurity.
- http://www.sptimes.com/2004/02/11/Northpinellas/Hackers_cripple_Inter.shtml
- Title: Cliff Stanford charged with hacking
Redbus
- Source: The Register
- Date Written: February 13, 2004
- Date Collected: February 13, 2004
- Cliff Stanford, 49, who currently resides in Belgium, was charged, on
February 13, 2004, with conspiracy to blackmail and computer crime offences
linked to an alleged hack of hosting firm Redbus Interhouse's e-mail
systems. Mr. Stanford, who co-founded Redbus Interhouse in 1999 but resigned
in 2002, is scheduled to appear at Bow Street Magistrates Court on March 2,
2004 along with co-defendant George Nelson Liddell. The men were arrested
following an investigation by the UK's National Hi-Tech Crime Unit (NHTCU).
- http://www.theregister.co.uk/content/55/35561.html
- Title: State agency warns of security
breach
- Source: C-Net News
- Date Written: February 13, 2004
- Date Collected: February 13, 2004
- The California Employment Development Department (EDD) sent out a
letter, on February 11, 2004, warning approximately 55,000 employees that
their personal information, possibly including names, Social Security
numbers and wage data, may have been accessed by an unauthorized intruder.
The intruder gained access to one of EDD's servers. The security breach was
detected on January 20, 2004. While it is unclear whether any personal
employee information was actually accessed - it appears the server was used
primarily to send out spam - the EDD was obliged to inform the workers of
the breach due to a California privacy law passed in 2003. The computer
crimes unit of the California Highway Patrol has been brought in to
investigate the matter.
- http://news.com.com/2100-7355_3-5158936.html
Politics-Legislation
- Title: Congress and Cybersecurity
- Source: Washington Post
- Date Written: February 12, 2004
- Date Collected: February 13, 2004
- In this online discussion on February 12, 2004, Representative Adam
Putnam (R.-Fla.), chair of the House Government Reform Subcommittee on
Technology, Information Policy, Intergovernmental Relations and the Census,
spoke about his efforts to improve national cybersecurity awareness and
standards. Mr. Putnam had introduced legislation that would have forced
public companies to implement minimum cybersecurity measures, but later
delayed the bill to give the private sector time to develop its own security
programs and initiatives. As most of the US's critical infrastructures are
in private hands, Mr. Putnam believes that the private sector, in
cooperation with government, should play a leading role in cybersecurity. He
also expressed support for the Department of Homeland Security's (DHS)
cybersecurity efforts under the National Cyber Security Division (NCSD).
- http://www.washingtonpost.com/wp-dyn/articles/A26684-2004Feb9.html
- Title: Lack of cybercrime laws stifle
enforcement agencies
- Source: Inq7.net
- Date Written: February 12, 2004
- Date Collected: February 13, 2004
- Law enforcement officials from the Philippines, including Police
Superintendent Gilbert Sosa, head of the cybercrime unit at the Philippine
National Police Criminal Investigation and Detection Group, and computer
forensic specialist Alex Ramos, warn that their country's cybercrime laws
are inadequate for dealing with a variety of online offenses, including
online fraud, cyber-stalking, child abuse and pornography. The country's
Information Technology and E-commerce Council is currently pushing a
stricter cybercrime law, but its passage is not assured.
- http://www.inq7.net/inf/2004/feb/13/inf_1-1.htm
Malware
- Title: MyDoom dies today
- Source: The Register
- Date Written: February 12, 2004
- Date Collected: February 13, 2004
- The MyDoom.A computer worm is scheduled to stop spreading and stop
launching denial of service (DoS) attacks against software maker the SCO
Group on February 12, 2004. However, the worm is expected to fizzle out
because some infected computers will have the date or time set wrong. MyDoom
has been the most prolific virus in history - e-mail monitoring firm
MessageLabs "blocked the virus 43,979,281 times in the two weeks since its
first appearance in late January. At the height of the epidemic, one in 12
emails the firm scanned were viral." This week, a variety of variants of
MyDoom also appeared, along with malicious code that exploits back doors
opened up on infected machines by MyDoom. However, MyDoom.B, MyDoom.C (also
known as Doomjuice.A), Doomjuice.B and Deadhat all had less of an impact
than the original MyDoom worm. Tens of thousands of machines on the Internet
remain infected with one of the variants or still have an open backdoor to
allow remote access for an attacker.
- http://www.theregister.co.uk/content/56/35516.html
- Also - http://www.gcn.com/vol1_no1/daily-updates/24927-1.html
- Also - http://www.securitypipeline.com/17603170
- Also - http://www.silicon.com/software/security/0,39024655,39118379,00.htm
- Also - http://www.web-user.co.uk/news/47877.html
- Also - http://www.eweek.com/article2/0,4149,1524829,00.asp
- Title: Nachi variant sends a political
message
- Source: C-Net News
- Date Written: February 12, 2004
- Date Collected: February 13, 2004
- The new variant of the Nachi worm (Nachi.B), discovered on February 11,
2004, appears politically motivated and may have been written by someone
from China, according to security experts. Nachi.B plants a document on
Microsoft Windows systems that contains significant dates and information
relating to World War II tensions between China and Japan, including the
Japanese invasion of Manchuria. While the worm is set to uninstall itself on
June 1, 2004, it will remain on computers that run Japanese versions of
Windows. Nachi.B tracks down and removes variants of the MyDoom worm from
infected machines. It has not spread widely so far and anti-virus firms do
not view it as a major threat.
- http://news.com.com/2100-7355_3-5158436.html
- Title: DJ's dance record inspires virus writer,
Sophos comments
- Source: sophos virus info
- Date Written: February 12, 2004
- Date Collected: February 13, 2004
- A new virus, known as W32/Order-A, was detected by anti-virus firm
Sophos on February 12, 2004. The virus, written by someone calling himself
Xevion, appears to be a tribute to Dutch dance DJ Marco V. Order.A copies
lyrics from the song 'Godd' by Marco V onto the victim's hard drive in a
file called Chaos.txt. It is unclear whether it does anything else. Musical
artists, such as Kylie Minogue, Celine Dion and Iron Maiden, have been
invoked by malware authors in the past.
- http://www.sophos.com/virusinfo/articles/djinspires.html
- Title: Internet travelers should beware of
Ibiza
- Source: SearchSecurity
- Date Written: February 13, 2004
- Date Collected: February 13, 2004
- Security firm iDefense is warning Internet users about a new Trojan
horse program, known as Ibiza-A, that exploits a vulnerability in
Microsoft's Internet Explorer (IE) web browser for which no fix currently
exists. According to iDefense, the Trojan has infected at least 5,000
computers as of February 13, 2004. Users can only be affected if they click
on a link that appears to lead to a travel-related website; once a machine
has been infected, Ibiza downloads and installs additional code, changes the
Windows registry, and opens TCP port 10002 to listen for commands from its
author. To protect themselves, users could utilize different browsers such
as Mozilla or Opera or only visit websites they trust.
- http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci950421,00.html
Technology
- Title: Cisco develops WLAN security protocol to
defeat password attacks
- Source: Computerworld
- Date Written: February 12, 2004
- Date Collected: February 13, 2004
- Cisco Systems Inc. submitted a draft of a new wireless LAN security
protocol, known as Extensible Authentication Protocol-Flexible
Authentication via Secure Tunneling (EAP-FAST), to the Internet Engineering
Task Force (IETF) on February 9, 2004. Cisco hopes that EAP-FAST will be
included in the IETF's 802.1x wireless LAN security protocol that is
currently under development. The new WLAN security protocol was designed to
defeat brute force dictionary attacks that capture a user's unencrypted
passwords; it does this "by sending password authentication between a WLAN
client and wireless LAN access points through a secure, encrypted tunnel."
EAP-FAST, which should be available for free download by the end of March
2004, is meant to complement existing WLAN protocols, such as the Protected
Extensible Authentication Protocol (PEAP) and the Lightweight Extensible
Authentication Protocol (LEAP), according to Ron Seide, WLAN product line
manager at Cisco.
- http://www.computerworld.com/securitytopics/security/story/0,10801,90163,00.html
- Also - http://www.techworld.com/news/index.cfm?fuseaction=displaynews&NewsID=1028
- Title: IBM, Cisco jointly seek better
security
- Source: SiliconValley.com
- Date Written: February 13, 2004
- Date Collected: February 13, 2004
- Technology giants IBM and Cisco Systems are poised to announce a pact on
security on February 13, 2004, that would link some of their products
together and make them easier to integrate for the purpose of better
protecting networks against cyber threats, including worms, viruses and
other cyber threats. Their partnership for computers and communications
networks would include the integration of authentication technology from
both companies, as well as facilitating the interoperability of IBM's
embedded security chips with Cisco's virtual private network (VPN)
solutions.
- http://www.siliconvalley.com/mld/siliconvalley/7946744.htm
- Also - http://news.com.com/2100-7347_3-5158689.html
- Also - http://www.infoworld.com/article/04/02/13/HNibmciscosecurity_1.html
- Also - http://www.informationweek.com/story/showArticle.jhtml?articleID=17700015
Vulnerabilities & Exploits
- Title: Stolen Windows code not critical
weakness
- Source: vnunet.com
- Date Written: February 13, 2004
- Date Collected: February 13, 2004
- A spokesperson for software giant Microsoft Corp. admitted, on February
12, 2004, that portions of the source code for the Windows 2000 and Windows
NT 4.0 operating systems (OSs) have been posted on the Internet. Overall,
about 658MB of code, only a fraction of the source code for an OS, has been
circulating on underground websites and networks. The Federal Bureau of
Investigations (FBI) has been brought in to investigate the leak. Microsoft
spokesman Tom Pilla said: "It's illegal for third parties to post Microsoft
source code and we take that activity very seriously." There is no
indication at present that the disclosure of the code was the result of a
security breach of Microsoft's corporate network. It is more likely that
third parties with whom Microsoft shares source code for research and
development purposes are responsible for the leak. According to one report,
the leak can be traced back to Mainsoft. Although only a small percentage of
Windows source code has been made public, some experts fear that the
incident could pose a threat to Internet security.
- http://www.vnunet.com/News/1152755
- Also - http://news.com.com/2100-7349_3-5158496.html
- Also - http://www.washingtonpost.com/wp-dyn/articles/A38314-2004Feb12.html
- Also - http://news.bbc.co.uk/2/hi/technology/3486011.stm
- Also - http://www.nwfusion.com/news/2004/0212msleak.html
- Title: Security Firm Says Several More
Microsoft Vulnerabilities Await Fixes
- Source: Techweb
- Date Written: February 11, 2004
- Date Collected: February 13, 2004
- California-based security company eEye Digital Security has posted a
list of seven new Microsoft vulnerabilities on its website, without
providing any details about the flaws. The firm says that it discovered the
flaws and has notified Microsoft; eEye is waiting for Microsoft to make
patches available before providing detailed information about the
vulnerabilities to ensure that hackers do not put the information to
malicious use while users remain unprotected. Three of the seven flaws are
given a 'high' severity rating. eEye Digital Security also unearthed the
vulnerability that Microsoft fixed on February 10, 2004; that particular
flaw is regarded as "one of the most serious Windows security
vulnerabilities ever," but Microsoft took seven months to develop a patch.
Microsoft has been aware of two of the serious new vulnerabilities since
September 2003.
- http://www.techweb.com/wire/story/TWB20040211S0005
- Title: Red Hat releases Mailman fix
- Source: Search Security
- Date Written: February 11, 2004
- Date Collected: February 13, 2004
- Open source software vendor Red Hat has warned customers of two security
vulnerabilities in Mailman, a program for managing mailing lists included in
several versions of Red Hat's Linux operating system. Linux Advanced Server
2.1 for Itanium, Enterprise Linux ES 2.1 and Enterprise Linux AS 2.1 are
affected by the flaws. The first vulnerability is in the admin CGI script of
Mailman versions that predate 2.1.4 and "can allow a remote attacker to
steal session cookies and to conduct unauthorized activities, including
cross-site scripting". The flaw also makes systems vulnerable to denial of
service (DoS) attacks. The second vulnerability "in the create CGI script of
Mailman 2.1.x versions before 2.1.3 also permits a remote attacker to steal
cookies." Red Hat recommends that affected users install updated versions of
the Mailman package.
- http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci950145,00.html
- Title: Ticketer lashed for security
hole
- Source: Australian IT
- Date Written: February 12, 2004
- Date Collected: February 13, 2004
- Australia's Federal Privacy Commissioner Malcolm Crompton has criticized
Ticketmaster 7 for a security vulnerability that allows users of the ticker
company's website to find out personal information about other users,
including names, addresses, and e-mail addresses. Mr. Crompton called the
flaw, which is linked to how user queries are displayed as URLs, a "simple
security hole". He expressed disappointment that such "fundamental errors"
were still being made more than two years after the country's Privacy Act
was introduced in December 2001, and urged other companies to learn from
Ticketmaster 7's mistakes. The company has closed down the service and is
reviewing its security posture.
- http://australianit.news.com.au/articles/0,7204,8660706^15331^^nbv^15306-15318,00.html
Civil & Consumer Issues
- Title: New Anti-spam Initiative Gaining
Traction
- Source: EWeek.com
- Date Written: February 12, 2004
- Date Collected: February 13, 2004
- On February 11, 2004, a group of volunteer developers published an
Internet draft of a new anti-spam framework that they hope could be adopted
shortly as an Internet Engineering Task Force (IETF) standard. The Sender
Policy Framework (SPF), which is the result of eight months of work by the
SMTP+SPF group, a loose association of about 500 people led by Meng Weng
Wong, seeks to improve the Simple Mail Transfer Protocol (SMTP) by
preventing the spoofing of e-mail addresses and the hijacking of SMTP
servers. Mr. Wong plans to attend the next IETF meeting at the end of
February 2004 in Seoul, South Korea. He hopes either for the establishment
of a working group to study SPF, or for direct adoption of the framework.
- http://www.eweek.com/article2/0,4149,1526253,00.asp
To change your delivery preferences please go
to:
http://news.ists.dartmouth.edu/cgi-bin/change.cgi
If you wish to
stop receiving the 'Security in the News' service please go
to:
http://news.ists.dartmouth.edu/substop.html
The Institute for
Security Technology Studies (ISTS) accepts no responsibility for any error
or omissions in this e-mail. The information presented is a compilation of
material from various sources and has not been verified by staff of the
ISTS. Therefore, the ISTS cannot be made responsible for the factual
accuracy of the material presented. The ISTS is not liable for any loss or
damage arising from or in connection with the information contained in this
report. It is the responsibility of the user to evaluate the content and
usefulness of this information. References in this e-mail to any specific
commercial products, processes, or services by trade name, trademark,
manufacturer, or otherwise, does not constitute or imply endorsement,
recommendation, or favoring by the ISTS. ISTS is a research, not
operational, organization, and makes its Security in the News e-mail
available as a public service on a best-effort basis. Security in the News
will be sent out on most business days, but not all.
Institute for
Security Technology Studies
Dartmouth College
45 Lyme Road, Suite
200
Hanover, NH 03755
Tel: (603) 646 0700
E-mail:
dailyreport@ists.dartmouth.edu
|
|
|
