0blivion nº2:(NEWS1.txt):15/03/2000 << Back To 0blivion nº 2
_____________________________________________________ / Oblivion Underground Magazine \ / Issue 2 15/04/2000 \ ▌ This Months News, Selection 1 ▌ \ by Slider / \_____________________________________________________/ Here are a list of headlines that would be of some intrest to people from March - April 2000 : Mar 6, 2000 Wired: A Turning Point for E-Privacy <http://wired.com/news/politics/0,1283,34734,00.html> - February 2000 should prove to be a month to remember for Internet privacy advocates -- and DoubleClick investors. It ended with the online ad firm announcing it would suspend plans to tie names to now-anonymous user Web "cookies" until online privacy standards were established ZDNet: Biometrics -- the end of online fraud? <http://www.zdnet.com/zdnn/stories/news/0,4586,2444322,00.html?chkpt=zdhpnew s01> - A growing number of e-businesses are exploring the use of finger scanning and other biometric technology to identify users and protect against online crime Mar 3, 2000 NewsBytes: Clinton Battens Down Govt Net Security Hatches <http://www.newsbytes.com/pubNews/00/144971.html> - President Clinton has asked each cabinet secretary and agency head to renew their efforts to make sure their computer networks are safe against denial of service and other illegal Internet attacks CIAC: MySQL Password Authentication Vulnerability <http://www.ciac.org/ciac/bulletins/k-025.shtml> - The MySQL database server versions prior to 3.22.32 has a flaw in the password authentication mechanism which allows anyone who can connect to the server to access databases without requiring a password, given a valid username on the database - in other words, the normal password authentication mechanism can be completely bypassed TechWeb: Linux Suppliers Focus On Improved Security <http://www.techweb.com/wire/story/TWB20000302S0022> - Efforts are under way to make Linux more secure for e-business, now that it┤s making inroads as an enterprise server platform NYLJ: Getting Hacked Could Lead to Getting Sued <http://www.nylj.com/stories/00/03/030200a5.htm> - Somebody┤s going to get sued: that┤s clear, said David J. Loundy, of Chicago┤s D┤Ancona & Pflaum LLC. Somebody┤s going to want a test case. The issue is whether there┤s going to be one or two of these suits, or whether it┤s going to be open season against service providers, said Mr. Loundy, who teaches computer crime at Chicago┤s John Marshall Law School ZDNet: New Pretty Park virus in the wild <http://www.zdnet.com/zdnn/stories/news/0,4586,2455265,00.html?chkpt=zdhpnew s01> - The Trojan horse, which arrives as an e-mail attachment named ┤prettypark.exe,┤ has already victimized universities and corporations ZDNet: Coolio not a suspect in DoS attacks <http://www.zdnet.com/zdnn/stories/news/0,4586,2455311,00.html?chkpt=zdnntop > - Despite admitting hacking 100 sites, the 17-year-old is not responsible for big denial-of-service attacks on Web sites, investigators say Currents: Hacker Whacks Salesgate <http://www.currents.net/newstoday/00/03/03/news2.html> - Salesgate.com says some credit data belonging to thousands of customers that was taken when a hacker broke into the e-commerce site was posted on the Internet Debian: Remote exploit in nmh <http://www.debian.org/security/2000/20000229> - The version of nmh that was distributed in Debian GNU Linux 2.1 aka slink did not check incoming mail messages properly. This could be exploited by using carefully designed MIME headers to trick mhshow into executing arbitrary shell code. This has been fixed in version 0.27-0.28-pre8-4. We recommend you upgrade your nmh package immediately TechWeb: Microsoft Gives Grants To Solve DoS Attacks <http://www.techweb.com/wire/story/TWB20000302S0012> - Microsoft is awarding two grants to university researchers to help network administrators fend off distributed denial of service attacks, executives said Thursday Mar 2, 2000 SJMercury: Infamous hacker sought for advice <http://www.sjmercury.com/svtech/news/breaking/ap/docs/272497l.htm> - In a bizarre twist to the federal prosecution of Kevin Mitnick, a Senate panel today asked him to explain ways hackers infiltrate sensitive computer systems, and to suggest solutions to lawmakers FCW: New federal security policy on the way <http://www.fcw.com/fcw/articles/2000/0228/web-security-03-02-00.asp> - Commercial information security products designed to protect information systems from cyberattacks next year will have to meet strict international standards before government agencies can purchase them ZDNet: Intuit scrambles to plug Quicken leaks <http://www.zdnet.com/zdnn/stories/news/0,4586,2454429,00.html?chkpt=zdnntop> - Personal financial information that consumers key into Intuit Corp.s popular Quicken Web site has been leaking out to advertisers, and the company moved swiftly to address the problem Cert: Congressional Testimonies and Reports to Government <http://www.cert.org/congressional_testimony/Cross_testimony_Mar2000.html> - On March 1, 2000, the director of the Software Engineering Institute at Carnegie Mellon University of which the CERTCC is a part presented testimony on the issue of cyber security EcommerceTimes: Expedia Reports Significant Credit Card Fraud <http://www.ecommercetimes.com/news/articles2000/000302-1.shtml> - Online travel agency and Microsoft spin-off Expedia.com reported Wednesday that it will record $4 to $6 million in third quarter losses to cover fraudulent credit card purchases made on its Web site. EcommerceTimes: Diversinet Delivers Linux-Based Wireless E-Commerce Security <http://www.ecommercetimes.com/news/articles2000/000301-1.shtml> - Software security solutions provider Diversinet Corp. announced Tuesday that it is extending support of its Software Development Kit for creating wireless e-commerce applications to the Linux open-source platform. TechServer: CD Universe regroups after online theft of credit card data <http://www.techserver.com/noframes/story/0,2294,500175233-500227783-5010988 07-0,00.html> - It began with an e-mail, the kind of nasty missive e-commerce CEOs dread. The sender, describing himself as a 19-year-old Russian named "Maxim," claimed to have pilfered 300,000 credit card numbers from CD Universe, a music retailing Web site. Maxim offered to destroy the stolen files in exchange for around $100,000. Protecting Paperwork: System Documentation <http://securityportal.com/direct.cgi?/topnews/paper20000302.html> - "Just as you will monitor your firewall and install intrusion detection on your network, you must also educate your workforce on dangers arising from your business┤ paperwork. Encourage them to use proper safeguards, and don┤t be afraid to walk around after-hours and see what you can find. And, make sure all waste paper gets shredded" Mar 1, 2000 Sophos: WM97Michael-B Word Macro Virus <http://www.sophos.com/virusinfo/analyses/wm97michaelb.html> - The virus uses the Office Assistant to display a random message, chosen from 21 possibilities. Amongst messages which may be displayed are some credited to Virginia Woolf, Steve McConnell, David Parnas and Paul Clements, Kreitzberg and Schneiderman, Alice in Wonderland, Michael I. Buen, Glenford Myers, Donald Knuth, Peter Williams and Rich Cook InfoWorld: Justice Department asserts new laws needed to track hackers <http://www.infoworld.com/articles/en/xml/00/02/29/000229enjustice.xml> - U.S. Department of Justice officials on Tuesday told a joint congressional committee that the law has to be changed to make it easier to pursue hackers. They also want more money to hire prosecutors and analysts, as well as to improve the research capabilities of federal, state, and local law enforcers investigating cybercrime XForce: trin00 for Windows Distributed Denial of Service Attack Tool <http://xforce.iss.net/alerts/advise44.php3> - The Windows version of trin00 is similar to the Unix version. The daemon for Windows trin00 listens on port 34555, while the Unix version listens by default on port 27444. Unlike the Unix version of the trin00 daemon, the Windows daemon does not try to contact the master server to register. The ISS X-Force believes that this is to prevent someone who finds the daemon on a Windows machine from finding the IP address of the master by looking in the binary executable Security Challenges to E-Commerce Growth <http://securityportal.com/direct.cgi?/topnews/egrowth20000301.html> - Surveys conducted indicate that security concerns are still the biggest obstacle to e-commerce growth, especially with the media coverage of hackers attacking e-commerce web sites FCW: NSA moves to defuse Echelon controversy <http://www.fcw.com/fcw/articles/2000/0228/web-NSA-02-29-00.asp> - Days before the Feb. 27 broadcast of a "60 Minutes" story focusing on the U.S.-backed global electronic surveillance network known as Echelon, the National Security Agency sent a letter to every member of Congress reassuring them that the super-secret agency respects the privacy of U.S. citizens ZDNet: DoS: Linux to the rescue <http://www.zdnet.com/zdnn/stories/news/0,4586,2453339,00.html?chkpt=zdhpnew s01> - Security firm TripWire Inc. is cannonballing into the open-source waters, with a friendly push from major Linux vendors Caldera Systems, Red Hat and SGI CERT Advisory: Multiple Vulnerabilities in Vixie Cron <http://www.cert.org/vul_notes/VN-2000-01.html> - An increase in the intruder activity associated with various vulnerabilities in certain implementations of the clock daemon cron has prompted the issuing of this note. Multiple intruder tools exploiting previously-discussed cron vulnerabilities have been found on compromised Linux systems as part of incidents recently reported to the CERT/CC Why Network Security? <http://securityportal.com/direct.cgi?/topnews/why20000301.html> - "Recent events demonstrate that security breaches to e-commerce are real... While no actual animal was harmed in the virtual beating of a dead horse, another mention of recent events provides a common starting point about network security and the protection of information. The fast pace of evolving technology brings new dimensions and new solutions to balancing the old battle of keeping risks down and security breaches to a manageable level" Feb 29, 2000 Net Security Tops Capitol Hill <http://www.currents.net/newstoday/00/02/29/news9.html> - Congress members often accuse the federal government of being slow on the uptake compared to the lightning-quick innovations of the high-tech industry. But only several weeks after a series of crippling denial of service attacks on popular World Wide Web sites, the Hill this week looks forward to multiple hearings on the subject, along with the possible introduction of the long-awaited Cyberspace Electronic Security Act ZDNet: Dark side of the Net <http://www.zdnet.co.uk/news/2000/8/ns-13651.html> - The Internet isn┤t so great at protecting our secrets, but hopefully government obfuscation will get the same treatment. DeseretNews: Only a handful of cyber-crooks are ever punished <http://www.deseretnews.com/dn/view/0,1249,150017165,00.html?> - Only a handful of computer attackers are actually caught and convicted as federal law enforcement of cyber-crime lags far behind the explosive growth of the Internet, Justice Department records show. WashingtonPost: Hackers Hit FBI Web Site <http://www.washingtonpost.com/wp-srv/WPlate/2000-02/26/071l-022600-idx.html > - Yet another World Wide Web site was temporarily blocked in a "denial of service" attack, the FBI said yesterday. The site was the FBI┤s. SeattleTimes: Have doubts about e-mail security? They are all valid <http://www.seattletimes.com/news/technology/html98/inbo_20000227.html> - While recent e-commerce attacks have made us all more security conscious, they also serve as a reminder that e-mail has never been really private. Cert: Windows Based DDOS Agents <http://www.cert.org/incident_notes/IN-2000-01.html> - Windows machines have been used as intermediaries in various types of denial of service attacks for years however, the development and deployment of the technology to use Windows machines as agents in a distributed denial of service attacks represents an overall increase in the threat of denial of service attacks TechWeb: IBM Will Ship PCs With 256-Bit Encryption <http://www.techweb.com/wire/story/TWB20000228S0015> - IBM on Wednesday will announce it will offer for export PCs capable of handling 256-bit digital key encryption. The machines will be available on March 10, making Armonk, N.Y.-based IBM among the first to make this technology widely available, an IBM executive said Feb 28, 2000 Weekly Raptor Security Roundup </topnews/weekly/raptor20000228.html> - Includes Mail list posts on Backing Up Raptor Firewall, an Undocumented Bug - Localhost Denied Access and more Currents: Schumer Intros Net Security Bill <http://www.currents.net/newstoday/00/02/28/news18.html> - Sen. Charles Schumer, D-N.Y., Thursday formally introduced a measure that would increase the fines and penalties for computer crimes Wired: Free Crypto Offered to Schools <http://www.wired.com/news/technology/0,1282,34528,00.html> - While federal investigators continue their hunt for the folks behind the recent denial-of-service attacks that crippled some of the Internet┤s biggest players, security companies are plying their wares with a vengeance Currents: Anti-Cyberattack Plan <http://www.currents.net/newstoday/00/02/28/news1.html> - On the heels of recent distributed denial-of- service attacks on commercial Web sites, a public/private security group has published a document to help organizations deal with systems security ZDNet: Kerberos made to heel to Windows 2000 <http://www.zdnet.co.uk/news/2000/8/ns-13702.html> - Microsoft uses the open Internet security standard in its Windows 2000 operating system and makes modifications without openly documenting its changes Mar 20, 2000 Internet Week: Lax Corporate Policies -- Security Shortchanged <http://web.lexis-nexis.com/more/cahners-chicago/11407/5620488/1> - A large number of businesses fail to update and consistently review their security policies, which determine the business assets they need to protect as well as the processes and technologies they must implement to properly secure enterprise networks. What┤s more, many companies don┤t have an IT security staff and spend relatively few dollars to protect their information assets, according to Network Computing magazine┤s new survey of 573 IT and security managers CNet: WebTV hit by Melissa-like bug <http://news.cnet.com/news/0-1006-200-1576095.html?tag=st.cn.1.lthdne> - WebTV has been hit by a self-replicating bug that is wreaking havoc with the network┤s message boards and newsgroups, a situation that knocks back the company┤s claim that it is immune to viruses and security holes. The problem, which some are calling the "Flood Virus," gets inside the e-mail system of WebTV owners and prompts the WebTV settop box to litter bulletin board and newsgroup sites on the company┤s network with redundant junk mail. Like the Melissa virus, the malicious WebTV code sends out the emails under a user┤s name without their knowledge Mar 18, 2000 Microsoft Bulletin: Malformed Media License Request Vulnerability <http://securityportal.com/topnews/ms00-016.html> - Windows Media License Manager is part of Windows Media Rights Manager, a component of Windows Media Technologies that enables content providers to distribute copyrighted digital media in encrypted form. When Windows Media Player opens protected digital media, it contacts the provider's server, presents the user's license request information, and obtains a license that allows it to play the media. However, a specially-malformed license request can cause License Manager to halt, thereby preventing legitimate subscribers from obtaining a license for the same or other content hosted at this site Mar 17, 2000 BusinessToday: Hackers taking delight in work <http://www.businesstoday.com/techpages/hack03172000.htm> - Canadian hacker Matthew Skala said yesterday that it was a pleasure working with his Swedish pal busting the code on a Framingham software company┤s Internet filtering product for children Wired: Cyber War in Liberia <http://www.wired.com/news/politics/0,1283,35016,00.html> - President Charles Taylor of Liberia, reacting to criticism of the government┤s closure of two radio stations, said a cyber war had been declared on his country Currents: Microsystems Sues Hackers <http://www.currents.net/newstoday/00/03/17/news2.html> - Unleashing what it hopes is another weapon in the arsenal against hackers, Microsystems Software, maker of the Internet filtering software Cyber Patrol, announced today that it has filed a seeking to stop two hackers, neither of whom is a US resident, from what it calls continued violations of US copyright law CERT/CC Current Activity <http://www.cert.org/current/current_activity.html> - Compromises via BIND Vulnerability, Domain Name Hijacking, Scans and Probes ZDNet: Major online credit card theft exposed <http://www.zdnet.com/zdnn/stories/news/0,4586,2469820,00.html?chkpt=zdhpnew s01> - In the largest known case of cybertheft, a computer intruder stole information on more than 485,000 credit cards from an e-commerce site and then secretly stored the massive database on a U.S. government agency┤s Web site, MSNBC has learned. Credit card companies notified financial institutions, but many of the compromised accounts remain open to this day because the banks neither closed them nor notified customers of the theft Cisco Advisory: Secure PIX Firewall FTP Vulnerabilities <http://www.cisco.com/warp/public/707/pixftp-pub.shtml> - The Cisco Secure PIX Firewall interprets FTP (File Transfer Protocol) commands out of context and inappropriately opens temporary access through the firewall. This is an interim notice describing two related vulnerabilities FreeBSD Security Advisories <http://securityportal.com/topnews/freebsd20000317.html> - Four security advisories have been released recently covering a variety of system vulnerabilities, including a buffer overflow with lynx Microsoft Security Bulletin MS00-017 <http://www.microsoft.com/technet/security/bulletin/fq00-017.asp> - When parsing a reference to a path, Windows 95 and 98 check for the presence of a single DOS device name in the path. If one is found, the path is correctly treated as invalid and an error is returned. However, neither Windows 95 nor 98 check for multiple DOS device names. This is the source of the vulnerability. If a read or write operation is attempted to a path whose name contains multiple DOS device names, it will cause Windows 95 and 98 to attempt to access invalid resources. In some cases, the effect of this invalid access would be to cause the application that supplied the path to hang, but the more likely effect is that the machine would present a blue debug screen and crash March Crypto-Gram Newsletter <http://www.counterpane.com/crypto-gram-0003.html> - by Bruce Schneier of Counterpane, newsletter includes analysis of the controversy over Microsoft's implementation of Kerberos in Windows 2000 Mar 16, 2000 ComputerWorld: Melting Worm slithers into the wild <http://computerworld.com/home/print.nsf/all/000316C9CA> - more information about the potentially destructive Windows virus Win32/Melting.worm, reported in our March 14 Top News. This story gives CA discovery credit, but Kaspersky Labs appears to have found first FCW: Army on hacker alert <http://www.fcw.com/fcw/articles/2000/0313/web-armyhac-03-15-00.asp> - On Tuesday evening the Army placed its cyberdefenders at the Land Information Warfare center at Fort Belvoir, Va., on full alert after a group known as the Boys from Brazil threatened to hack into the Army home page on Friday IDG: Study: PKI revenues will reach 3.5 billion in 2003 <http://www.idg.net/idgns/2000/03/16/StudyPKIRevenuesWillReach35B.shtml> - Spurred by current growth patterns in e-commerce, the PKI (public key infrastructure) market will be worth 3.5 billion dollars by 2003, according to a study from U.K.-based market research company Datamonitor IDG: Legislators propose commission to study privacy <http://www.idg.net/idgns/2000/03/15/LegislatorsProposeCommissionToStudyPriv a.shtml> - Citing overwhelming concern among Americans about the protection of private financial, health and other personal information, two U.S. lawmakers have proposed a bill that would establish a commission to study and make recommendations about how best to ensure data privacy NTSecurity: Crashing Netscape Communicator 4 <http://www.ntsecurity.net/go/loader.asp?iD=/security/netscape1.htm> - Simple HTML code can cause Netscape Communicator 4 to crash. While we are still uncertain as to the exact cause of the crash, it would appear that it pertains to an embedded DIV tag that is coded in a particular manner CNN: Arrest made for cyberattack <http://cnnfn.com/2000/03/15/technology/wires/cyberspat_wg/> - A disgruntled database engineer was arrested after he allegedly launched an attack on his workplace via cyberspace, federal authorities said Wednesday. Abdelkader Smires, 31, was arrested Tuesday at his Flushing, Queens, home. He has been charged with intentionally causing damage through the unauthorized use of a computer, punishable by up to five years in prison. Smires was being held without bail pending a hearing in Brooklyn federal court on Friday Mar 15, 2000 Kurt's Closet: Corporate and government access to your data <http://securityportal.com/direct.cgi?/closet/closet20000315.html> - There have been a number of frightening developments recently in legal areas of computing, such as companies being given access to employees' home computers and legislation requiring access to private encryption keys. Kurt Seifried looks at what is to be done IDG: EU-US privacy deal rotten, observers say <http://www.idg.net/idgns/2000/03/14/EUUSPrivacyDealRottenObserversSay.shtml > - European and U.S. negotiators have finalized an agreement on data privacy that puts to rest a simmering trans-Atlantic dispute over data protection, but U.S. observers say the accord underscores that Europeans have far more privacy protection than Americans. Currents: Task Force Unveils E-business Security Guidelines <http://www.currents.net/newstoday/00/03/15/news1.html> - A consortium of key Internet businesses has formed an industry task force aimed at spreading the gospel of e-business security -- particularly to medium-sized, Web-based companies -- in the wake of the recent denial of service attacks. The group has issued a set of guidelines aimed at getting businesses to think about their own corporate virtual well being, something many of them currently are not doing FCW: Army takes lead in biometric security research <http://www.fcw.com/fcw/articles/2000/0313/web-biometr-03-15-00.asp> - Faced with a steady increase in illegal intrusions into its computer networks, the Army has accepted responsibility for research and development of biometric technologies to bolster the Defense Department's cybersecurity programs ComputerWorld: Symantec seeks halt to posting blocked-site list <http://www.computerworld.com/home/print.nsf/idgnet/000314F75A> - Symantec Corp. has asked a Massachusetts Internet service provider to remove links to a list of Web sites blocked by Symantec┤s I-Gear Internet filtering software, as well as to a program that decrypts the list. Symantec charges that the information is protected by copyright and trade-secret laws SCO Advisory: security hole in the EELS system <http://securityportal.com/topnews/sco20000314.html> - A security hole found in the EELS system could result in a network based denial of service attack without the SCO-released patch Xforce: Vulnerability in Microsoft SQL Server 7.0 <http://xforce.iss.net/alerts/advise45.php3> - Internet Security Systems has identified a vulnerability in the encryption used to conceal the password and login ID of a registered SQL Server user in Enterprise Manager for Microsoft SQL Server 7.0. When registering a new SQL Server in the Enterprise Manager or editing the SQL Server registration properties, the login name that will be used by the Enterprise Manager for the connection must be specified. If a SQL Server login name is used instead of a Widows Domain user name and the Always prompt for login name and password┤ checkbox is not set, the login ID and password are weakly encrypted and stored in the registry TechWeb: Task Force: Internet Security Holes Rampant <http://www.techweb.com/wire/story/TWB20000314S0006> - More than half of businesses on the Internet leave themselves open to security breaches because they fail to safeguard themselves ZDNet: Feds: Get more secure or else <http://www.zdnet.com/zdnn/stories/news/0,4586,2462114,00.html?chkpt=zdhpnew s01> - U.S. Federal Trade Commissioner and FBI warn tech CEOs to address security and privacy concerns or lose the opportunity to self-regulate Mar 14, 2000 IDG: EU and US reach data privacy accord <http://www.idg.net/idgns/2000/03/14/EUAndUSReachDataPrivacy.shtml> - European and U.S. negotiators finalized on Tuesday an agreement on data privacy that puts to rest a simmering trans-Atlantic dispute over data protection, the negotiators told a press conference. After over two years of talks, negotiators agreed that the U.S.┤s largely self-regulatory system based on so-called safe harbor principles represents "adequate protection" as defined and required by the rules of the European Union on the transfer of personal data outside the E.U. ComputerWorld: IE5/Win2K security patch can lock out legitimate users <http://www.computerworld.com/home/print.nsf/idgnet/000314F756> - Microsoft Corp. warned network administrators yesterday to stop distributing a security patch for Internet Explorer 5.0 that could prevent Windows 2000 users from logging in to their computers NTSecurity: IE and Outlook May Run Arbitrary Code <http://www.ntsecurity.net/go/loader.asp?iD=/security/ie515.htm> - Georgi discovered that a user could place a .chm file in the TEMP directory where that file could contain a shortcut command. When the file is opened with the showHelp() procedure, any listed programs could be executed by the operating system Currents: Warnings About Melting Virus <http://www.currents.net/newstoday/00/03/14/news3.html> - Russian IT security firm Kaspersky Lab has issued a warning over a new type of worm called I-Worm.melting. As the name implies, the worm carries a screen saver that melts the PC┤s screen image, but the bad news is that it also locks up the user┤s machine. The anti-virus company said that the worm has been reported in-the-wild by its customers in Eastern Europe