[INFOSEG] Security Wire Digest VOL. 5, NO. 26, APRIL 3, 2003
fabio.becherini@ufrgs.br
becherini at vortex.ufrgs.br
Mon Apr 7 11:35:41 BRT 2003
SECURITY WIRE DIGEST, VOL. 5, NO. 26, APRIL 3, 2003
Security Wire Digest is a newsletter published by Information Security,
the industry's leading source of security news and information.
IN THIS ISSUE:
*QuickTime Upgrade Fixes Flaw
*Sendmail Vulnerability Allows Server Takeover
*Judge's Child Porn Case Hinges on Hacker
*Analyst: End of Traditional Security Appliance Market at Hand
*DMCA Critics Warn About State-Level Legislation
*NIPC: Chinese Hackers Plotting Attacks
*Network Associates Acquires IntruVert
SECURITY PERSPECTIVE:
*Reality TV...er...AV
HAPPENINGS
TO UNSUBSCRIBE, REFER TO THE INSTRUCTIONS AT THE END OF THIS MESSAGE
=====================================================
SECURITY WIRE DIGEST IS SPONSORED BY: SPI Dynamics
FREE White Paper: "Outsmart the Top 10 Web Application Attacks!"
Learn why 70% of today's successful hacks involve Web Application attacks
such as: SQL Injection, XSS, Cookie Manipulation, and Parameter
Manipulation. All undetectable by Firewalls and IDS!
Download *FREE* white paper from SPI Dynamics for a complete guide to
protection!
http://www.spidynamics.com/mktg/webappsecurity84
=====================================================
*QUICKTIME UPGRADE FIXES FLAW
Apple Monday issued QuickTime 6.1 to correct a buffer-overflow
vulnerability in the Windows implementation of its QuickTime player that
could allow the remote execution of arbitrary code.
The vulnerability originates in the processing of long QuickTime URLs. A
400-character URL can overflow allocated space on a stack and overwrite
the instruction pointer. This allows an attacker to tell the computer
where to next execute code in memory by inserting an addresses that
contains exploit code. A remote attacker can compromise a target system if
a user can be convinced to load the specially crafted exploit URL.
The media player runs on both Microsoft Windows and Apple Macintosh
platforms, but only QuickTime Player versions 5.x and 6.0 for Windows are
vulnerable.
Security intelligence firm iDEFENSE, which reported the flaw, also
recommends removing the QuickTime handler from the Web browser or removing
the registry key HKEY_CLASSES_ROOT/quicktime. The company says these steps
can prevent automatic exploitation through HTML pages.
http://www.apple.com/quicktime
http://www.idefense.com/advisory/03.31.03.txt
*SENDMAIL VULNERABILITY ALLOWS SERVER TAKEOVER
For the second time in a month, a serious security vulnerability has been
found in Sendmail, one of the most widely deployed mail transfer agents,
and the latest in a series of flaws discovered in some of the most
fundamental and widely used Unix applications.
"I don't think the vulnerability is being actively exploited at the
moment," says Michal Zalewski, a long-time contributor to Sendmail, and
the discoverer of the problem, adding, "Exploiting it is difficult enough
for us not to see a publicly available exploit today or tomorrow: it
usually takes weeks."
Eric Allman, CTO of Sendmail, confirmed this assessment, noting, "We are
not aware of any exploits at this time."
The vulnerability arises due to a change in data type in the parser for
e-mail addresses. A specially crafted e-mail address may skip buffer
length checks and lead to a buffer overflow. An exploit of the
vulnerability could allow remote and local attacks on the root,
compromising the server.
This vulnerability exists in all unpatched versions of Sendmail through
8.12.9, including all versions of the commercial product. About two-thirds
of Internet servers use Sendmail for email processing, either directly or
indirectly. Administrators should obtain free patches
(http://www.sendmail.org) or upgrade to the latest version.
*JUDGE'S CHILD PORN CASE HINGES ON HACKER
A Canadian hacker who illegally accessed a California judge's computer
last year and alerted authorities to child pornography found in the
machines may also be responsible for the case crumbling.
Bradley Willman of British Columbia recanted earlier statements that he
was working as a law enforcement "agent" when he installed a Trojan horse
to invade the personal computer of Orange County Superior Court Judge
Ronald C. Kline. Willman now says Kline's lawyers pressured him into
saying he worked on behalf of police. That statement led a U.S. judge in
March to rule that the search of Kline's home and work computers was
illegal. And that put key evidence seized after the intrusion in jeopardy
of being thrown out.
Willman, who's worked with Canadian police on a child molestation case,
says he contacted the Internet watchdog group Pedowatch.com after he found
more than 1,500 pornographic images and an incriminating personal diary on
Kline's machines. That agency contacted Irvine, Calif., police, which
launched an investigation that led to six federal charges of possessing
child pornography against Kline. He's also accused of molesting a
14-year-old boy more than 20 years ago.
Kline has since resigned from the bench.
Legal scholars told the Los Angeles Times that prosecutors must now prove
Willman had no contact with police until well after he invaded the
computers, in which case he could be considered a tipster and not an
informant.
=====================================================
*ADVERTISEMENT*
The NEXT Tech Tour is a high-level conference focused on security,
wireless, storage, and IT infrastructure technologies that help you solve
the challenges you are faced with every day. Get critical information and
training from industry-leading sources at NEXT. Visit our Web Site at
http://www.nexttechtour.com/?ism
=====================================================
*ANALYST: END OF TRADITIONAL SECURITY APPLIANCE MARKET AT HAND
The Yankee Group says many large corporations are launching
next-generation security architectures, a trend that heralds the end of
the traditional security appliances.
In fact, Yankee recommends its enterprise clients stop purchasing
traditional security appliances, such as firewalls or IDSes, as
stand-alone items to avoid funneling cash into what it says may soon be
obsolete technology. Instead, Yankee recommends companies draft a plan to
adopt the new architecture.
The shift, outlined in two reports on the "security service switch," is
well under way and will result in another wave of consolidation within in
the security industry, says Matthew Kovar, Yankee's director of Security
Solutions & Services.
Kovar says 25 percent of the 100 largest U.S. companies are launching
these next-generation approaches this year. The new approach will see
appliances such as firewalls evolve and be combined into integrated
systems providing security services and security management in a single
architecture.
A similar evolution happened with networks, Kovar says, where network
providers have rolled various components--bridges, hubs, routers,
etc.--into single products. For security, the shift should result in
better management of security events, as multiple services and tools will
be working in tandem.
The main distinction is the goal of the deployment. "Security appliances
have traditionally been aimed at improving network performance rather than
truly securing at an application level," Kovar says. "That's like going to
the Wright brothers to ask them to get you to the moon when you should be
going to NASA."
Kovar says more than a dozen companies have already moved into the space,
from network vendors like TippingPoint and Mazu Networks to application
security firms like NeoScale and Netilla and traditional security vendors
such as NetScreen and Symantec. Those and other vendors are now likely
takeover targets from network equipment vendors like Cisco Systems, Nokia,
Siemens and Ericsson, he adds.
http://www.yankeegroup.com/public/news_releases/news_release_detail.jsp?ID=PressReleases/news_03312003_sss.htm
*DMCA CRITICS WARN ABOUT STATE-LEVEL LEGISLATION
Pending legislation in at least three states could restrict some security
technologies, say critics. They warn the entertainment industry is asking
states to enact laws similar to the Digital Millennium Copyright Act
(DMCA) that provide additional restrictions on encryption and other forms
of data security.
Supporters of bills in Nebraska, Texas and Massachusetts say the
legislation is similar to a law Maryland adopted to curb theft of digital
cable access. Critics say the laws contain more troubling language and
could outlaw firewalls or the employment or distribution of some types of
data encryption.
Princeton University professor Ed Felten, who writes the "Freedom to
Tinker" Weblog, says the Motion Picture Association of America (MPAA) is
pushing the bills, focusing on the protection of copyrighted material but
not bringing attention to the potential impact.
The bills make it illegal to "conceal the origination point or destination
of communications," Felton says, meaning they may ban e-mail encryption
and the widely used Network Address Translation (NAT) protocol. "Most
security "firewalls" use NAT, so if you use a firewall, you're in
violation," Felton says.
Felton warns that more bills will hit state legislatures this year,
leading him to expect more laws that infringe on security technology, as
many complain the DMCA has. MPAA couldn't be reached for comment.
"This is not about cable security," says David McClure, president of the
U.S. Internet Industry Association. "It has everything to do with the
ability of film and music companies to gain absolute control."
http://www.usiia.org
http://www.freedom-to-tinker.com/archives/000336.html
*NIPC: CHINESE HACKERS PLOTTING ATTACKS
The National Infrastructure Protection Center (NIPC) Monday inadvertently
published an advisory, warning that Chinese hackers are planning attacks
on U.S.- and U.K.-based Web sites to protest the war in Iraq.
According to the Washington Post, the "inadvertent release" was based on
information obtained from monitoring an online meeting held to coordinate
the attacks. The advisory cited planned distributed denial-of-service
(DDOS) attacks and the defacement of selected Web sites.
Chinese and U.S. hackers launched a weeklong cyberbattle in May 2001 and
claimed more than 1,000 successful defacements and DoS attacks. The
offensive action coincided with diplomatic tensions between Beijing and
Washington over the April 2001 collision of a Navy surveillance plane over
the South China Sea.
*NETWORK ASSOCIATES ACQUIRES INTRUVERT
Network Associates (NAI) Tuesday announced it will acquire network
intrusion protection provider IntruVert Networks for $100 million.
The all cash deal is subject to regulatory and shareholder approval and is
expected to close within the next 45 days.
According to NAI Executive VP Sandra England, "The IntruVert solution is
perfectly aligned with our vision of stopping any attack that gets inside
the firewall. We will now have the capability of reliably blocking network
attacks at multi-gigabit speeds, which is a dramatic improvement over
existing intrusion detection products."
"With this acquisition, we will build on our core expertise in both
computer systems defense capabilities and network defense systems
capabilities," England adds.
=====================================================
*ADVERTISEMENT*
TECH EDITORS WANTED
INFORMATION SECURITY, the industry's leading infosec publication, is
seeking savvy security professionals to test products and write reviews on
an on-going freelance basis. Tech editors perform vendor briefings,
product evaluations and reviews, and lab testing of security hardware and
software. Opportunities are also available for writing in-depth technical
features. Applicants should have a solid grasp of security technologies
(certifications are helpful, but not required), an ability to write clear
and detailed articles, and be able to meet deadlines. Excluded from
applying are those who work for security product vendors or companies that
produce security equipment or software.
Those interested in applying should e-mail managing editor Larry Walsh
(mailto:lwalsh at infosecuritymag.com). Please include a resume and a brief
list of technologies of interest and proficiency. No phone calls, please.
=====================================================
SECURITY PERSPECTIVE
*REALITY TV...ER...AV
By Lawrence M. Walsh
If what Jan Hruska says is true about hackers, we may have wasted years of
effort and millions of dollars in defending against virus writers.
In an interview with Reuters, the CEO of antivirus vendor Sophos described
the average virus writer as male, 14-34, obsessed with computers and
unable to get a date. (This also describes a large number of security
pros, which may explain why Hruska's comments sparked a rather lively
debate. But I digress.)
Assuming Hruska is correct, wouldn't a more proactive approach to the
virus problem be hooking up these pathetic souls with a date?
Here's the pitch, a reality show--on Fox, of course--"The Hacker Dating
Game." You drag a bunch of pimply-faced hackers out of their mother's
basements, give them a clean X-Files t-shirt and set them up with
beautiful young women.
Imagine, TV cameras would follow skin-pierced geeks and their playmates as
they go to nightclubs, fine restaurants, skiing in Aspen and scuba diving
in the Caribbean. Did I mention there would be hot tub scenes?
Since Americans love human train-wreck TV shows, a number of copycats will
appear on competing networks. ABC could have "I Want to Marry a Phreaker."
NBC could air "Married by Def Con." And CBS could schedule "LoveLetter
Chronicles" MTV will jump into the fray by having Ozzy Osbourne hack his
delinquent brood's e-mail ("Sharon! What's the bloody @#*%! password?").
OK, I know what you're thinking. Where would you find these women? After
all, we're not talking about "Joe Millionaire." Well, what about all those
adoring Russian women we hear about via spam?
LAWRENCE M. WALSH (mailto:lwalsh at infosecuritymag.com) is managing editor
of Information Security magazine.
=====================================================
HAPPENINGS
EDITOR'S NOTE: Check event listings for postponements and cancellations.
APRIL
Implementing IT Security - From Strategy to Reality
April 7-8, New Orleans, La.
April 10-11, Miami, Fla.
April 14-15, Atlanta, Ga.
April 21-22, Washington, D.C.
April 24-25, Philadelphia, Pa.
http://www.ip3inc.com
FOSE 2003
April 8-10, Washington, D.C.
http://www.fose.com
RSA Conference 2003
April 13-17, San Francisco, Calif.
http://www.rsasecurity.com
Ultimate Hacking: Expert
April 15-18, Washington, D.C.
May 6-9, Dallas, Texas
http://www.foundstone.com
Secure Coding
April 22-24, Irvine, Calif.
http://www.foundstone.com
O'Reilly Emerging Technology Conference
April 22-25, Santa Clara, Calif.
http://www.oreillynet.com/et2002
The ISI Forum on Information Security in Government
April 22-24, Alexandria, Va.
http://www.misti.com
The Annual Superstrategies Audit Best-Practices Conference
April 23-25, Boston, Mass.
http://www.misti.com
Techno-Security 2003
April 27-30; Myrtle Beach, S.C.
http://www.techsec.com
Real World Linux Conference & Expo
April 28-30, Toronto, Canada
http://realworldlinux.com
2nd Annual PKI Research Workshop
April 28-29, Gaithersburg, Md.
http://middleware.internet2.edu/pki03/
NSI IMPACT 2003
April 28-30, Church Falls, Va.
http://nsi.org/Impact2003.html
If you know of an information security conference that should be included
in the list of Happenings, please e-mail
mailto:lwalsh at infosecuritymag.com.
=====================================================
Security Wire Digest is an e-mail newsletter brought to you on Mondays and
Thursdays by Information Security magazine. Questions or comments should
be e-mailed to Shawna McAlearney, online editor,
mailto:smcalearney at infosecuritymag.com.
Security Wire Digest is audited by BPA. A copy of the June 2002 BPA E-mail
Audit Report is available for download at:
http://www.bpai.com/library/statement_files/s343h0j2.pdf.
=====================================================
Security Wire Digest and Information Security magazine are published by
TruSecure, the world's leader in Internet security services.
Copyright (c) 2003, Information Security, a division of TruSecure Corp. No
reuse or redistribution without the express written authorization of
Information Security. To obtain reuse permission, contact Larry Walsh
(mailto:lwalsh at infosecuritymag.com).
=====================================================
To subscribe or renew your existing subscription to Information Security
magazine, print edition, please go to:
http://www.submag.com/sub/is
|__________________________________________________________|
More information about the infoseg
mailing list