News Pages - Page 1 | Page 2 | Page 3 | Page 4 | Page 5 | Page 6 | Page 7 | Page 8 | Page 9 |

Index

About

Future

Macrovision/C-Dilla

Links page

Contact Us!


Privacy & Security News June 2001


House Leader Presses FBI Surveillance Worries
WASHINGTON (Reuters) - House Majority leader Dick Armey may seek U.S. Justice Department (news - web sites) budget cuts to curb the use of the FBI e-mail surveillance tool formerly known as Carnivore, a spokesman said on Thursday.
``If necessary he would consider using Congress's power of the purse to pull the plug on Carnivore,'' said the aide, Richard Diamond.
At issue is specialized software used by the FBI for court-authorized tracking of a criminal suspect's online communications with the cooperation of an Internet service provider.
Unlike other court-ordered electronic surveillance tools, Carnivore, as it is still widely known, gives law enforcers access to the communications of all the service provider's customers, critics have charged. Here

Web at risk from new MS flaw By Robert Lemos ZDNet News
Microsoft said Monday that a "serious vulnerability" in its flagship Web server software used by computers running more than 6 million sites could allow hackers and online vandals to take control of the computers.
As first reported by CNET News.com, the flaw occurs in a component of Microsoft's Internet Information Service (IIS) software that is installed on Web servers by default, said Marc Maiffret, chief hacking officer with eEye Digital Security, the company that found the flaw.
"Pretty much any Web server (using Microsoft software) is basically left vulnerable to attack," he said. "Any hacker can basically get system-level access, which is the highest level of access on the computer," by using a program that exploits the problem. Here

Tool feeds ads to your e-mails
Melbourne-based online marketing company, Reva Networks, is currently promoting a new e-mail technology--Admail--that allows online advertisers to intercept e-mail messages as they enter the mail server and "wrap" them in advertising content tailored to the recipient's demographic profile.
Unlike conventional unsoliciated e-mail, where advertising arrives in the users� inbox as separate e-mail, Admail fuses advertising with the body message regardless of its origin. Here

ONLINE PRIVACY CONCERNS DUBBED 'HYSTERIA'
A Federal Trade Commission member calls concern over online privacy "hysteria" and suggests the average person has more privacy today than a century ago. Commissioner Thomas Leary said he doesn't expect any new privacy regulations from the FTC -� at least for now. The hysteria is misplaced, he said, because there's going to be so much data available that companies won't be able to use it in ways that could hurt individual consumers. Here

PRIVACY GROUP RELEASES FREE 'SNOOP-WARE'
Internet users can find out if they're being tracked online -- and who's doing the tracking -- with free software released by a privacy group.
Bugnosis is a browser extension that detects bugs hidden on Web pages that collect info about users. At unscrupulous Web sites, the data may be passed along to third parties without the user's permission. The software released by the Privacy Foundation works for Internet Explorer 5 and up. An email version is planned. Here

Demand for NSA's W2K Security Guidelines Overwhelms Agency's Web site
( Thursday, June 14, 2001 ) A set of security guidelines for Windows 2000 posted by the National Security Agency last week proved so popular that NSA was forced to shut that area of its site down.
Visitors trying to access the security guidelines were greeted with a message that NSA was reconfiguring its Web site to handle the volume of visitors interested in downloading the guides. NSA planned to have the Windows 2000 security download portion of the site back online this week. Here

Trojan horse exploits Microsoft Word
By Robert Lemos Special to CNET News.com June 14, 2001, 1:05 p.m. PT
A month-old flaw in Microsoft Word has opened up PCs to attack by a new Trojan horse, antivirus researchers said Thursday.
Dubbed "Goga," the malicious code poses as a Word document saved in rich text format but actually reaches through the Net to run a Word macro--a small program that runs within the application--saved on a Russian Web site.
"While this is not a danger to the general public, it could be a danger to somebody if there is a direct mailing to them," said Jimmy Kuo, a researcher at security software maker Network Associates.
The Trojan horse appears as text file in the rich text format, or RTF, attached to an e-mail, according to Russian antivirus software company Kaspersky Labs, which first found the malicious program. Here

Worm targets Gates with e-mail bomb
AN E-MAIL WORM that targets systems running Microsoft's Internet Information Services (IIS) enlists infected machines in what appears to be a hacker's vendetta against Microsoft. Here

Microsoft Smart Tags: Changing the Nature of Hyperlinks?
Is Microsoft preparing to fundamentally change the open nature of the Internet in favor of an infrastructure where your Web browser goes where Microsoft tells it to go? If the forthcoming release of Windows XP contained a controversial Microsoft-originated feature, the answer is yes. Here

Microsoft Scraps Smart Tags Plan
Following weeks of outraged criticism, Microsoft Corp. Thursday backed away from plans to include the Smart Tags feature in Windows XP's Internet Explorer 6.
The Smart Tags feature would allow IE 6 to turn any word on a Web site into a link at Microsoft's discretion. That link, without the Web site author's knowledge or consent, could lead to a Microsoft site or, conceivably, the site of a Microsoft partner or even an advertiser.
Critics said the feature gives Microsoft too much leverage over how users interact with Web pages.
The company reportedly will keep the Smart Tags feature in Office XP. The final version of Windows XP is due to ship in October.
Here and Here

Promises of Jennifer Lopez Nude Deliver Destructive Virus
[June 1, 2001] Mimicking the OnTheFly virus which promised pictures of Russian teen tennis star Anna Kournikova, this new LoveLetter variant promises Jennifer Lopez instead. Here

Apache Survives Server Crack Attack
[May 31, 2001] The open-source organization reveals that its public Web server was cracked by an unknown assailant two weeks ago. Here

20 June 2001 Money Bugs Send Credit Card Data to Thieves
Small devices can be planted inside retail terminals where they skim credit card information and automatically send it to labs where people make phony credit cards. Here
Note: This is a fundamental vulnerability that results from the ability to insert an untrusted device. Visa and MC may protest all they like, but the cost of such devices has fallen to the tens of dollars, and any merchant and most of their employees can insert one. The answer is smart cards, and Visa and MC both know it. We can only hope that they will start to use them before permanent damage is done to public trust and confidence. Time is critical and it is not obvious that they have enough.

A new malicious program - dubbed 'Leaves'
- infects previously compromised PCs and seemingly prepares the machines to launch a DoS attack
A government Internet watchdog warned companies this past weekend of a new malicious program that spreads to previously compromised PCs and seemingly prepares the infected machines to launch a denial-of-service attack, sources said Monday. Here

Putting Security in the Palm of Your Hand
Hitachi and Sanyo team up to develop a secure memory card that holds encrypted data for Palm PDAs.
Your Palm PDA may soon have an added level of security. Hitachi and Sanyo Electric have developed a Secure Multimedia Card, a memory card that has a security function for stored data, designed for use with Palm handhelds. Here

Crypto flaw allows e-mail shenanigans
Common encryption standards that allow users to digitally sign their e-mail have a well-known flaw that could allow the message to be surreptitiously forwarded to another person, a researcher plans to announce Thursday at a technical conference. Here

Security pros: We must track the hacks
Two security incidents last week have polarized the parties debating the thorny issue of reporting vulnerabilities and exploits, but help may be on the way in the form of an industry group with established protocols. Here

Net espionage stirs Cold-War tensions
WASHINGTON -- Fears of Cold War tensions are finding new life in cyberspace, as the threat of Internet espionage shifts the nuclear-age doctrine of "mutually assured destruction" to that of mutually assured disruption.
In one long-running operation, the subject of a U.S. spy investigation dubbed "Storm Cloud," hackers traced back to Russia were found to have been quietly downloading millions of pages of sensitive data, including one colonel's entire e-mail inbox. During three years, most recently in April, government computer operators have watched--often helplessly--as reams of electronic documents flowed from Defense Department computers, among others. Here

Hackers delay censorship-busting software
A GROUP OF hackers has delayed introducing its planned Web software that is meant to allow users to evade government censorship of the Internet. The delayed project, code-named "Peekabooty," was originally scheduled for launch next month at the hackers' convention Def Con, the group Cult of the Dead Cow (CDC) said in an e-mail message to journalists. Here

Sign on the digital line
The E-Sign Act goes into effect, legitimizing electronic signatures in the eyes of the law.
"Getting it in writing" is no longer the only option. On Sunday, June 10, when Congress's E-Sign Act became law, electronic signatures began carrying as much legal weight as a pen-and-paper John Hancock, giving companies the confidence to arrange their business contracts over the Internet. The law will have little immediate impact on business practices, but it's a necessary step in the evolution of e-commerce. Here

Hacker wages war on the waves
As the US Navy announces a $4.1bn attempt to secure the Navy Marine Corps Intranet (NMCI), hackers have issued a warning that Navy websites are next on the list of targets.
The five-year project to secure the NMCI, which consists of 350,000 desktops and 200 networks, dispersed around the world, focuses on controlling virus outbreaks and killing malicious code. Here

SSH hits the fan for Cisco on security
Cisco products, including its PIX firewall, are subject to multiple vulnerabilities in Secure Shell (SSH) despite the fact problems with the protocol have been known about for almost a year. Here

19 & 20 June 2001 Social Worker Recommends Jail Time For Canadian Teen
A court-appointed social worker said that the Canadian teenager responsible for major denial-of-service attacks in February 2000 should spend at least five months in detention. The boy has shown no remorse for his actions, needs more discipline, and is likely to commit more cyber crimes, according to the social worker. Canoe.ca and Wired

22 June 2001 Consumers' Association Chastised for Security Problem
The Consumers' Association (CA) exposed customer credit card information on its TaxCalc web site. CA has arranged for an independent assessment of the web site, which will remain down until the security problem has been addressed. Experts have been vocally critical of the blunder. BBC

22 June 2001 An Important Application for Encryption
While credit card numbers may also be exposed in the network, attacks against the merchant's server are usually more efficient. Such attacks yield more value for successful attacks as compared to the cost of such attacks. Merchants store credit card numbers because it makes subsequent purchases easier for the consumer. Where merchants elect to save credit card numbers they should do so on a back-end database server. If credit card numbers are stored on the front-end server, they should be encrypted. Wired

21 June 2001 Cracker Penetrates Credit Card Database
A cracker accessed the credit card database of Anacom Communications Inc., an independent subsidiary of ZixIt Corp. The FBI is investigating. ComputerWorld

21 June 2001 Phone Phreaking Bill Dispute
Crackers took advantage of a Georgia realty firm's 800 number to make nearly $90,000 in overseas calls; as no culprits have been caught, the small company disagrees with AT&T; about who should foot the bill. Businesses can protect themselves from such attacks by using arcane passwords, changing them habitually, keeping passwords secret, and blocking international phone service if it is never used. AccessAtlantic

20 June 2001 Instant Messaging Archiving Privacy Issues
Some instant messaging programs incorporate archiving features which do not require the consent of both participants; most programs also allow users to save their real-time on line conversations as text files. Cnet

20 June 2001 Financial Institutions, Consumers Urged to Pay Attention to Security
The Financial Services Authority (FSA) urged on line financial institutions not to forget security while they ready new products. The UK watchdog group also cautioned consumers to be attentive to security matters while doing business on line; consumers should use obscure passwords, change them often, and check for encryption when sending data, suggests an FSA team manager. BBC

18 June 2001 Elements of a Good Security Awareness Program
A good security awareness program will address social engineering, passwords, insider threats, and cyber ethics. Here

18 June 2001 ComputerHQ.com Exposed Customer Data
A programmer who found a JavaScript flaw on the Computer HQ.com web site that divulged credit card information and other personal data about customers tried and tried again to get the company to fix the problem. While some of the customers contacted by the programmer were shocked at the lax security, others were angry that the programmer had pried into their private details.
Wired
Note: The same thing happened to me over the Christmas Holidays last year, I found several open systems on a localnet connected to the internet that were totally accessable. You couldn't write to them but you could copy everything off them including there customer database and accounting program with all their customer data, invoices, acct/banking info, payroll, etc.. After spending $20 on long distance calls to contact the system owner all I got was blasted for snooping on his computer.. So much for trying to be helpful!

9 - 14 June 2001 Cal-ISO Servers Compromised
Crackers recently infiltrated two servers that were part of a development network at the California Independent System Operator (ISO) - - an integral part of the power grid - raising concerns that foreign governments or terrorist groups are probing the US's critical infrastructure networks. Security specialists say they cannot tell who was responsible for the attacks, and that many security measures, including firewalls, tripwires, and logs, were not in place. LA Times and ComputerWorld and Cnet
Note: Why are systems intended for the development of such a sensitive application connected to the public network at all, much less without routine security measures.

15 June 2001 Wireless Keyboard Security
Daten-Treuhand, a German security concern, has posted a warning on Bugtraq that crackers can sniff passwords from wireless keyboards from up to 30 meters. The Register and Here

15 June 2001 New Malicious Hacking Tools
Security consultants say there are two new hacking tools available on the Internet: GodMessage and Choke. GodMessage lets crackers put ActiveX code on web pages which would make browsers download a compressed program. Users with current antivirus software should be protected. The Choke worm circumvents security controls using MSN Messenger. ZDnet

11 & 13 June 2001 MacSimpson Worm (For our Apple/MAC Friends)
A mass mailing worm that targets Macintosh computers arrives as an attachment purporting to be secret episodes of The Simpsons. The attachment is actually an AppleScript that sends copies of itself to everyone in the Outlook Express or Entourage address book(s) of infected machines. Finally, the worm moved the contents of the sent mail folder to the deleted items folder and opens Internet Explorer to a Simpsons archive. The worm affects Macintosh Systems 9.0 and higher, and Outlook Express 5.02 and higher. The Computerworld article offers advice for removing the worm from infected systems. Cnet and ZDnet and ComputerWorld

6 & 7 June 2001 Watermark Cracking Researchers Ask Court to Let Them Present Work
In April, a team of researchers bowed to pressure from the Secure Digital Music initiative (SDMI) and the Recording Industry Association of America (RIAA) and declined to present a paper that describes how they cracked digital watermarking schemes. Last week, that same group of researchers filed a federal lawsuit asking that they be allowed to present their paper at a technical conference this summer. Wired and ZDnet

5 & 6 June 2001 Miss World Worm
The Miss World worm carries a malicious payload that tries to overwrite necessary files and format hard disk drives. The worm is launched by opening infected e-mail attachments, and spreads via Outlook. The Register and ZDnet

31 May 2001 SULFNBK.EXE Worm Hoax
A hoax e-mail may have convinced many people to delete SULFNBK.EXE, a Windows utility, from their hard drives. While the e-mail may have begun with good intentions - there have been reports of e-mails containing copies of the file infected with W32.Magistr.24876@mm - the hoax e-mail uses social engineering to get people to do the work of a malicious worm. A Symantec site offers information about the hoax e-mail and instructions for restoring the deleted file. ZDnet and Symantec AV

1 June 2001 Hotmail and Yahoo E-mail Vulnerability
A vulnerability in Hotmail and Yahoo e-mail programs allows a deliberately composed e-mail containing an HTML link to behave like a worm and flood Internet mail servers. Microsoft had the flaw fixed by Friday afternoon, and Yahoo was working on a fix. Cnet

31 May 2001 New Worm Variant Makes Use of Social Engineering Tactics
The Chernobyl worm, which carries a malicious payload capable of overwriting a computer's BIOS information, is making the rounds this time in the guise of an attachment purporting to be pictures of Jennifer Lopez. Cnet and Note: "Social engineering" is a term hackers use to put a pleasant face on fraud and deceit.. Personally, I prefer the definition 'user created error'. That's when the user upon receiving an email warning about a virus or suspected spyware follows the instructions without varifing the content and "deletes" key Windows or Program Files..

30 May 2001 Hackers Pilfer SETI@home Volunteers' E-Mail Addresses
Some hackers figured out the method SETI@home uses to exchange work units with volunteers in its distributed computing effort, and took advantage of the knowledge to mine up to 50,000 e-mail addresses which were then used in a spam attack. SETI@home's project director said the server software has been revised. MSNBC
Note: The article says this hack exposes the pitfalls of distributed computing. More precisely, it exposes the pitfalls of distributed computing with weak authentication.

29 May 2001 Hacker Helps Excite@Home With Security
Excite@Home has praised a hacker who came to the company with information about a server vulnerability that could have exposed customer support data. After meeting with the man, Excite@Home bolstered its network security by installing firewalls, implementing a variety of security hardware and programs, and restricting network access. Cnet
Note: @Home is a major contributor to the security problem, because of its lax security. Just look at the GRC story Security Expert's Site Knocked Offline By Attack..
NOTE: The fact that the ISP's Won't or Can't secure/administer their systems/users has lead me to believe that the only recourse is to take legal actions that will force the DOMAIN REGISTERS to "SUSPEND" the DNS numbers of these ISP's for at least 48hrs when more than 500 complaints have been filed.. Then let's see how fast they'll deal with the problem, when their financial interest is at stack!

29 May 2001 Echelon's Reach Exceeds its Grasp, Says EU Committee
A draft report from a European Parliament investigative committee concludes that Echelon, the global electronic eavesdropping network, is not as capable as was previously believed, but the committee still recommends that people use encryption software. ComputerWorld and Echelon Q&A;: BBC

24 May 2001 Weather.com Hit By Denial of Service Attack
The Weather Channel's web site was hit by a denial-of-service attack that limited user access and slowed site performance for about seven hours. The director of site operations said that in defense, they shifted to another dedicated router and installed filtering and intrusion detection software. In addition, system administrators are examining the company's server logs to see if the attack was a diversion created to draw attention away from an intrusion. InterNet Week

19 May 2001 Cracker Compromises Customer Credit Card Data
A security breach at A&B; Sound's web site exposed customer names and credit card data. The site was shut down to allow for investigation. A&B; Sound has sent e-mails to potentially affected customers advising them to contact their credit card issuers. Vancouver Sun and Here

[SECURITY BULLETINS] Win - Update {00.43.013}: MS00-077: NetMeeting desktop sharing DoS

Patch Available for "NetMeeting Desktop Sharing" Vulnerability Microsoft has re-released MS00-077 ("NetMeeting desktop sharing DoS"), which fixes a new variant of the original problem discussed in{00.43.013}.
FAQ and patch: Here
Source: Microsoft Here

{01.26.002} Win - MS01-034: Word Document Auto Macro Execution

Microsoft has released MS01-034 ("Malformed Word Document Could Enable Macro to Run Automatically"). Particular malicious embedded macros in Word documents may not be recognized by the security scanner allowing them to execute regardless of security configurations.
FAQ and patch: Here
Source: Microsoft Here

MS01-028 � RTF document linked to template can run macros without warning

This bulletin discusses a vulnerability in several versions of Microsoft Word. By design, if a user has configured Word to prompt before running macros, Word should do so even when the macro is in a document linked to the one that the user opened. However, if the macro is in a template and the user opens an RTF document that links to the template, no warnings are issued.
This affects several versions of Word and patches are available as follows:
* Word 2000 Here
* Word 98 (J) for Windows The patch is not yet available. Consult the bulletin for availability
* Word 97 Here
* Word 98 for the Mac The patch is not yet available. Consult the bulletin for availability
* Word 2001 for the Mac The patch is not yet available. Consult the bulletin for availability
The problem does not affect Word 2002 for Windows.

For more information see:
* Microsoft Security Bulletin MS01-028 Here
* Microsoft Knowledge Base (KB) article Q288266 �WD2000: No Macro Warning When You Open RTF Document� Here
* The CVE Information Here

MS01-029 � Windows Media Player .ASX Processor Contains Unchecked buffer

This bulletin announces patches for two vulnerabilities in Windows Media Player 6.4 and 7.0.
Pauli Ojanpera posted a message to BugTraq on May 2, 2001, announcing a new buffer overflow in the Windows Media Player (WMP) versions 6.4 and 7.0. The buffer overflow occurs in the routines that parse .ASX files. A similar vulnerability was announced and fixed in MS00-090 (see the November 2000 SANS WSD). The new vulnerability affects the HREF attribute of the BANNER tag.
On May 6, 2001, another message was posted by BugTraq by ByteRage detailing a denial of service in Media Player 6.4 by including a malformed version field in a .ASX file. We have verified that version 7.1 appears to be immune against this exploit, and that it appears to be a denial of service attack only on WMP 6.4.
Ojanpera also posted another buffer overflow in WMP on May 28. Even the patched versions are vulnerable to that issue. See item 3.5.1 for more details. This issue has received CVE candidate number CAN-2001-0242.
The second vulnerability fixed in this bulletin is that WMP stores Internet shortcuts in files with known names underneath the user�s temporary Internet files folder. Since they have known names, and they could contain HTML and script code, the potential exists that these files could be executed by some hostile mechanism, in which case they would execute in the context of the local computer. In that context they could take more privileged action than would be possible if they were executed from a web page on the Internet. This issue has received CVE candidate number CAN-2001-0243.
The patch also includes functionality to prevent identification of individual media player installations. A web site could assign a unique identifier to a media player installation. A set of web sites could then be used to correlate information about users using the media player. A new option has been added to block this. To do so, install the patch and then disable the option �Allow Internet sites to uniquely identify your player.�
There is a patch available for WMP6.4. Users of WMP 7.0 may upgrade to version 7.1 to block these vulnerabilities: * Windows Media Player 6.4 patch Here
* Upgrade for Windows Media Player 7 Here
For more information see:
* Microsoft Security Bulletin MS01-029 Here
* Microsoft Knowledge Base (KB) article Q298598 �Patch Available for Windows Media Player 6.4 and 7 Buffer Overrun Vulnerability� Here
* Microsoft Knowledge Base (KB) article Q296138 �Patch Available for Windows Media Player 6.4 and 7 Internet Shortcut Vulnerability� Here
* Microsoft Knowledge Base (KB) article Q296139 �Patch Available for Windows Media Player 6.4 and 7 Privacy Issue� Here
* The CVE Information Here
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0243

PacketStorm Security Site

Index  About  Future  C-Dilla  Links page  Contact Us! 
News Pages -  1 2 3 4 5 6 7 8 9

Copyright � 1996-2004 by PrivacyandSpying Com