Net-Sec newsletter
Issue 24 - 01.08.2000
http://net-security.org

Net-Sec is a newsletter delivered to you by Help Net Security. It covers weekly 
roundups of security events that were in the news the past week. 
Visit Help Net Security for the latest security news - http://www.net-security.org.


Subscribe to this weekly digest on:
http://www.net-security.org/text/newsletter

Table of contents:

1) General security news
2) Security issues
3) Security world
4) Featured articles
5) Security books
6) Defaced archives



============================================================
Sponsored by Kaspersky Lab - You Personal Anti-Virus Guard
============================================================
The Breakthrough Technology Protecting Your Computers From Viruses!

Subscribe to Kaspersky Lab's FREE newsletter delivering you
the latest and trustworthy information source on computer 
viruses and their counter measures. You will always be up
to date when securing your computer!
Join now! http://www.kasperskylab.ru/eng/news/maillist.asp
============================================================




General security news
---------------------


----------------------------------------------------------------------------

PICKING THE LOCKS ON THE INTERNET SECURITY MARKET
"Another day, another e-commerce break-in ... The problem, argue a number 
of new startups, isn't products. It's people."
Link: http://www.redherring.com/insider/2000/0724/tech-fea-security-home.html


WE'RE STILL GETTING SECURITY WRONG
Worries about security, and justified ones at that, could still stop the eCommerce 
bandwagon in its tracks, it seems. The recent revelation of a security loophole in
MS Outlook has been followed by a report from IDC asserting that corporate
Europe is still adopting the wrong approach to strengthening the security of 
its systems.
Link: http://www.it-director.com/00-07-25-3.html


EVALUATION TECHNOLOGY FOR INTERNATIONAL SECURITY STANDARD
The international standard serves as a framework for establishing system 
reliability by a product's functions, quality, operation and management. More
specifically, the standard prescribes requirements for the functioning and quality
of the security component that systems must meet to prevent intrusion and
unauthorized access.
Link: http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/news/108225


COST OF INTRUSIONS
Enterprises hiring reformed crackers to expose their soft underbellies will only
add to the more than $2.6 trillion lost worldwide annually because of security
intrusions, warns professional services firm PricewaterhouseCoopers.
Link: http://www.it.fairfax.com.au/industry/20000725/A26681-2000Jul24.html


MICROSOFT SECURITY EXECUTIVE PROMISES IMPROVEMENTS
The man who receives more complaints about the security of Microsoft Corp.'s
software than anyone on the planet vowed here yesterday that the company's
products are improving in quality and will continue to become more secure. 
Link: http://www.idg.net/ic_204796_1794_9-10000.html
Can we believe that? Comment this in our forum:
http://www.net-security.org/phorum/read.php?f=2&i=41&t=41


WHY PEOPLE NEED OUTLOOK
With all this problems with Microsoft Outlook, people are wondering why do 
others use Outlook rather than some other mail clients. On HNS forum, Ladi wrote 
her opinion on "Why is Outlook so widely used in corporate environments?".
Link: http://www.net-security.org/phorum/read.php?f=2&i=39&t=29


DEFACEMENTS BY WEBSERVER
Attrition published statistics entitled "Defacements by Webserver August 01,
1999 - July 22, 2000". According to the stats, Microsoft IIS had the biggest 
number of defacements.
Link: http://www.attrition.org/mirror/attrition/webserver-graphs.html


ERROR AND ATTACK TOLERANCE OF COMPLEX NETWORKS
The Internet's reliance on only a few key nodes makes it especially vulnerable
to organized computer attacks, according to a new study on the structure of 
the worldwide network.
Link: http://www.nature.com/cgi-taf/DynaPage.taf?file=/nature/journal/v406/n6794/full/406378a0_fs.html


SECURITY POLICY
Marcus Ranum, chief technology officer at NFR: "We are creating hordes and 
hordes of script kiddies. They are like cockroaches. There are so many script 
kiddies attacking our networks that it's hard to find the real serious attackers 
because of all the chaotic noise."
Link: http://news.excite.com/news/zd/000726/18/silence-the-best


NSA OFFICIAL BLASTS AT SECURITY VENDORS
The National Security Agency's senior technical director Thursday lambasted
developers of security tools, which he said were so weak that they encouraged
attacks by computer crackers.
Link: http://www.infoworld.com/articles/hn/xml/00/07/28/000728hnnsa.xml


BRITISH VERSION OF CARNIVORE IS NOW LAW
The British government approved the Regulation of Investigatory Powers (RIP)
that allows British law-enforcement agencies to force ISPs to hand over 'Net
traffic logs and encrypted e-mail messages, along with the decryption keys
needed to read their content. ISPs will have to set up secure channels to the
government's monitoring center and to install "black boxes" that will do the
tracking if the government issues a notice and has a warrant asking the ISP
to do so.
Link: http://www.geek.com/news/geeknews/q22000/gee2000728001991.htm


HOW THE FBI INVESTIGATES COMPUTER CRIME
This guide provides information about the federal investigative and prosecutive
process for computer related crimes. It will help you understand some of the 
guidelines, policies, and resources used by the Federal Bureau of Investigation
when it investigates computer crime.
Link: http://www.cert.org/tech_tips/FBI_investigates_crime.html


TOOL TRACES DENIAL OF SERVICE SOURCES
The Internet Engineering Task Force (IETF) is working on technology that will 
minimise the problem of denial of service attacks by making it possible to quickly
trace the source of the attack. The organisation last week formed a working
group to develop ICMP Traceback Messages, which would allow network
administrators to trace the path packets take through the internet. 
Link: http://www.vnunet.com/News/1107643


RECRUITING HACKERS
Department of Defense and military officials turned a hacker conference into a
recruiting drive Friday, trying to woo the best and the brightest into becoming 
security experts.
Link: http://www.zdnet.com/zdnn/stories/news/0,4586,2609334,00.html


DEFCON
Defcon has always been an event known as much for its intensive technical 
content - talks on "advanced buffer overflow techniques" are de rigueur - as 
its social opportunities, but this year it seems to have become more party than 
conference. Call it the new American geek holiday.
Link: http://www.wired.com/news/culture/0,1284,37896,00.html

----------------------------------------------------------------------------




Security issues
---------------

All vulnerabilities are located at:
http://net-security.org/text/bugs


----------------------------------------------------------------------------

VULNERABILITY IN NETSCAPE BROWSERS
This advisory explains a vulnerability in Netscape browsers present since at 
least version 3.0 and up to Netscape 4.73 and Mozilla M15. The vulnerability 
is fixed in Netscape 4.74 and Mozilla M16. 
Link: http://www.net-security.org/text/bugs/964528232,40698,.shtml


IBM WEBSPHERE VULNERABILITY
A show code vulnerability exists with IBM's Websphere allowing an attacker 
to view the source code of any file within the web document root of the 
web server.
Link: http://www.net-security.org/text/bugs/964528397,78068,.shtml


ANALOGX PROXY DOS
AnalogX Proxy is a simple but effective proxy server that has the ability 
to proxy requests for the following services: HTTP, HTTPS, SOCKS4, 
SOCKS4a, SOCKS5, NNTP, POP3, SMTP, FTP. Using commands of an 
appropriate length, many of the services exhibit unchecked buffers causing 
the proxy server to crash with an invalid page fault thus creating a denial 
of service. Normally this would only be a concern for users on the LAN side 
of the proxy, but by default Proxy is configured to bind to all interfaces on 
the host and so this would be exploitable remotely from over the Internet.
Link: http://www.net-security.org/text/bugs/964577654,52746,.shtml


PATCH FOR "NETBIOS NAME SERVER PROTOCOL SPOOFING"
Microsoft has released a patch that eliminates a security vulnerability in 
a protocol implemented in Microsoft  Windows systems. It could be used 
to cause a machine to refuse to respond to requests for service.
Link: http://www.net-security.org/text/bugs/964789771,23452,.shtml


BEA'S WEBLOGIC SHOW CODE VULNERABILITY
Two show code vulnerabilities exist with BEA's WebLogic 5.1.0 allowing 
an attacker to view the source code of any file within the web document 
root of the web server. Depending on web application and directory 
structure attacker can access and view unauthorized files.
Link: http://www.net-security.org/text/bugs/964901015,87907,.shtml


----------------------------------------------------------------------------




Security world
--------------

All press releases are located at:
http://net-security.org/text/press

----------------------------------------------------------------------------

E-SHOPPING MADE FAST, EFFICIENT AND SECURE - [24.07.2000]

JAWS Technologies Inc. announced that it has signed a memorandum of 
understanding with iSolver.com to integrate JAWS security solutions into 
iSolver's technology and facilities. JAWS will develop new secure Internet 
encryption products to support iSolver's Universal Cart Technology (UCT). In 
addition, JAWS will validate, develop and deliver security concepts for all new 
Internet applications conceived by iSolver. The two firms expect to complete a 
definitive Business Partnership Agreement Aug. 1, 2000, which will have JAWS 
provide for a total security solution to support iSolver's business offering. 

Press release:
< http://www.net-security.org/text/press/964399208,14554,.shtml >

----------------------------------------------------------------------------

JAVA-BASED B2B TECHNOLOGY TO ALLOW DIGITAL SIGNATURES - [24.07.2000]

With the recent passage of the landmark Electronics Signature Act giving digital
signatures legal validity, Cyclone Commerce, Inc. continues to take the lead in 
making E-Signatures an eCommerce reality. With its flagship product, Cyclone 
Interchange, organizations can apply valid and secure digital signatures to every
document sent. This is made possible by Cyclone CrossWorks Security Framework,
a revolutionary technology the company pioneered. 

Press release:
< http://www.net-security.org/text/press/964475791,79890,.shtml >

----------------------------------------------------------------------------

ZKS PREVIEWS LINUX VERSION OF FREEDOM - [24.07.2000]

Zero-Knowledge Systems, the leading developer of privacy solutions for 
consumers and companies, will release its first source code. Mike Shaver, 
Zero-Knowledge's Chief Software Officer, last week previewed the Linux client 
of the company's award-winning privacy software, Freedom at the Ottawa Linux 
Symposium. In this first source release, Zero-Knowledge will release the source
code of the Freedom Linux kernel interface. 

Press release:
< http://www.net-security.org/text/press/964475936,91408,.shtml >

----------------------------------------------------------------------------

RAINBOW SIGNS NEW CRYPTOSWIFT OEM AGREEMENT - [25.07.2000]

Rainbow Technologies, Inc., a leading provider of high-performance security 
solutions for the Internet and eCommerce, today announced that the company 
has signed a major OEM agreement with a leading provider of next-generation 
Internet infrastructure solutions - and has received an initial order of nearly $1 
million. Rainbow's CryptoSwift eCommerce accelerator is a key component in a
new family of products designed to enable eBusinesses to meet the demands 
resulting from the rapid growth of the Internet. This new family of products are 
optimized to manage Web traffic - and provide the high performance and 
availability of leading networking infrastructure solutions.

Press release:
< http://www.net-security.org/text/press/964482291,24441,.shtml >

----------------------------------------------------------------------------

SYBARI'S ANTIGEN SELECTED BY SUNBELT SOFTWARE - [25.07.2000]

Sybari Software, Inc., the premier antivirus and security specialist for groupware
solutions today, announced that it has been selected by Sunbelt Software, the 
No. 1 provider of "best-of-breed" solutions for Windows 2000/NT, for antivirus 
protection of their groupware environment. "We needed something we knew
could protect our groupware. A network disabled, even for a short while, from a 
virus attack is not acceptable," said Stu Sjouwerman, president of Sunbelt 
Software. 

Press release:
< http://www.net-security.org/text/press/964482448,58117,.shtml >

----------------------------------------------------------------------------

DEFENDNET SOLUTIONS PARTNERS WITH TREND MICRO - [25.07.2000]

DefendNet Solutions Inc., a leading provider of total managed security solutions 
for the Internet, today announced that it has partnered with Trend Micro Inc. 
to deliver virus scanning services based on Trend Micro's award-winning 
InterScan VirusWall technology. By incorporating Trend Micro's InterScan 
antivirus software into its comprehensive suite of managed security offerings, 
DefendNet will enable its carrier partners to offer remotely managed gateway 
virus protection to their corporate customers.

Press release:
< http://www.net-security.org/text/press/964482508,73308,.shtml >

----------------------------------------------------------------------------

SYMANTEC STRENGHTENS WITH ACQUISITION OF AXENT - [27.07.2000]

Symantec Corp. and AXENT Technologies, announced that their boards of 
directors have approved the acquisition of AXENT by Symantec in a 
stock-for-stock transaction valued at approximately $975 million. The 
combination of the two companies will create a new leader in Internet security 
for enterprise customers. Under the agreement, AXENT shareholders will receive
in a tax-free exchange 0.50 shares of Symantec common stock for each share 
of AXENT common stock they own.

Press release:
< http://www.net-security.org/text/press/964717984,72585,.shtml >

----------------------------------------------------------------------------

'HACK PROOFING YOUR NETWORK' - [28.07.2000]

Syngress Publishing, Inc., today announced the publication of "Hack Proofing 
Your Network: Internet Tradecraft" by Ryan Russell and with contributing 
grey-hat hackers such as "Mudge," "Rain Forest Puppy," "Caezar," "Effugas," 
and "Blue Boar." The premise of the book is "The only way to stop a hacker is 
to think like one." It provides a tour of information security from the hacker's 
perspective and offers practical advice for fending off local and remote network 
attacks. The book is divided into four parts on theory and ideals, local attacks, 
remote attacks, and reporting.

Press release:
< http://www.net-security.org/text/press/964790472,38581,.shtml >

----------------------------------------------------------------------------

FREE INDUSTRY-LEADING ANTI-VIRUS SOLUTION - [28.07.2000]

Verio Inc. and Computer Associates International, Inc. today announced that 
the two companies have entered into a partnership to help ensure safe 
computing in eBusiness environments. The alliance provides Verio with the 
opportunity to offer its 400,000 customers a free, downloadable version of CA's 
award-winning anti-virus solution, InoculateIT Personal Edition. The anti-virus 
software is a component of eTrust, CA's comprehensive Internet security 
solutions suite. 

Press release:
< http://www.net-security.org/text/press/964790527,6132,.shtml >

----------------------------------------------------------------------------

@STAKE ACQUIRES CERBERUS INFORMATION SECURITY - [27.07.2000]

@stake, the world's leading Internet security professional services firm, today
announced the acquisition of London-based Cerberus Information Security, Ltd,
specialists in penetration testing and security auditing services. As a result of 
today's acquisition, @stake has formalized its entry into the European market,
paving the way for further global expansion. With this agreement, CIS' security
specialists will become @stake security consultants. In addition, @stake will
inherit CIS' client base, a roster of more than 20 blue-chip clients based in the
UK. Financial terms of the acquisition were not disclosed. 

Press release:
< http://www.net-security.org/text/press/964837499,43578,.shtml >

----------------------------------------------------------------------------




Featured articles
-----------------

All articles are located at:
http://www.net-security.org/text/articles

Articles can be contributed to staff@net-security.org

Listed below are some of the recently added articles.

----------------------------------------------------------------------------

MACRO VIRUSES: BACKGROUND, TRUTH ABOUT THE THREAT AND METHODS 
OF PROTECTION by Andy Nikishin, Mike Pavluschik and Denis Zenkin from 
Kaspersky Lab Ltd.

"About 5 years ago the term "macro virus" appeared for the first time. Despite 
the development of reliable security measures against such an infection and 
numerous reviews on macro-virus protection methods, it still arouses fear in 
millions of computer users..."

Article:
< http://www.net-security.org/text/articles/viruses/macro.shtml >

----------------------------------------------------------------------------

DIGITAL CERTIFICATES & ENCRYPTION by Lance Spitzner

This is a white paper dedicated to Digital Certificates & Encryption, how they 
work and apply to Internet Commerce. 

Article:
< http://www.net-security.org/text/articles/spitzner/certificates.shtml >

----------------------------------------------------------------------------

BUILDING A SECURE GATEWAY SYSTEM by Chris Stoddard

"I'm going to make a couple of assumptions here, first, you know how to install
Linux and are familiar with its use. Second I assume you are setting up a 
gateway computer permanently attached to the internet be it by cable modem,
DSL or whatever and will not be used for anything else like a ftp, telnet or
web server..." 

Article:
< http://www.net-security.org/text/articles/lg_1.shtml >

----------------------------------------------------------------------------

BUILDING A SECURE GATEWAY, PART II by Chris Stoddard

"In the last article, we installed Linux with only those packages we absolutly
needed. (If you have not read my previous article, you should do so now, as it
is the base from which this is built on.) Now comes the detail work, turning your
gateway into fortress. The first thing to understand is there is no way to be
completely secure." 

Article:
< http://www.net-security.org/text/articles/lg_1-1.shtml >

----------------------------------------------------------------------------




Featured books
----------------

The HNS bookstore is located at:
http://net-security.org/various/bookstore

Suggestions for books to be included into our bookstore 
can be sent to staff@net-security.org

----------------------------------------------------------------------------

MASTERING NETWORK SECURITY

Do you need to secure your network? Here's the book that will help you 
implement and maintain effective network security, no matter what size your 
network is or which NOS you're using. Packed with practical advice and 
indispensable information, this book systematically identifies the threats that 
your network faces and explains how to eliminate or minimize them. Covers all 
major network operating systems - NT, NetWare, and Unix - and all aspects of 
network security, from physical security of premises and equipment to 
anti-hacker countermeasures to setting up your own Virtual Private Networks. 
The CD includes evaluation and demonstration versions of commercial firewalls, 
intrusion detection software, and a complete security policy.

Book:
< http://www.amazon.com/exec/obidos/ASIN/0782123430/netsecurity >

----------------------------------------------------------------------------

CRYPTOGRAPHY AND NETWORK SECURITY : PRINCIPLES AND PRACTICE

This book presents detailed coverage of network security technology, the 
standards that are being developed for security in an internetworking 
environment, and the practical issues involved in developing security applications. 
KEY TOPICS: Opening with a tutorial and survey on network security technology, 
this book provides a sound mathematical foundation for developing the algorithms 
and results that are the cornerstone of network security. Each basic building block 
of network security is covered, including conventional and public-key cryptography, 
authentication, and digital signatures, as are methods for countering hackers and 
other intruders and viruses. The balance of the book is devoted to an insightful 
and thorough discussion of all the latest important network security applications, 
including PGP, PEM, Kerberos, and SNMPv2 security. 

Book:
< http://www.amazon.com/exec/obidos/ASIN/0138690170/netsecurity >

----------------------------------------------------------------------------

MAXIMUM LINUX SECURITY : A HACKER'S GUIDE TO PROTECTING YOUR LINUX 
SERVER AND WORKSTATION

In this book, readers become familiar with scores of offensive and defensive 
weapons, including Crack, Tripwire, linux_sniffer, mendax, and many more. For 
each program, the author documents the required infrastructure (such as C or 
Perl), the required permissions, and a URL from which the program can be 
downloaded. Most valuably, he walks you through the use of each program. 
Readers can follow along as the author performs various hacks, including an IP 
spoofing attack. He lists hundreds of hacking tools in an appendix, and includes 
a lot of software (Linux security products, code examples, technical documents, 
system logs, and utilities) on the companion CD-ROM.

Book:
< http://www.amazon.com/exec/obidos/ASIN/0672316706/netsecurity >

----------------------------------------------------------------------------

MAXIMUM SECURITY : A HACKER'S GUIDE TO PROTECTING YOUR INTERNET 
SITE AND NETWORK

This book is written for system administrators who need to know how to keep 
their systems secure from unauthorized use. The anonymous author takes a 
hacker's view of various systems, focusing on how the system can be cracked 
and how you can secure the vulnerable areas. The book makes it clear from the 
outset that you cannot rely on commercial software for security. Some of it is 
flawed, and even the best of it has to be used correctly to provide even the 
most basic security measures. The author scrutinizes such operating systems 
as Microsoft Windows, Unix, Novell, and Macintosh. He details many of the tools 
crackers use to attack the system, including several that have legitimate uses for 
system administration. Rather than merely cataloging areas of risk and showing 
how various flaws can be exploited, the author makes every effort to show how 
security holes can be avoided and remedied. An enclosed CD-ROM provides links 
to many of the tools and resources discussed in the book.

Book:
< http://www.amazon.com/exec/obidos/ASIN/0672313413/netsecurity >

----------------------------------------------------------------------------

BIG BOOK OF IPSEC RFCS: INTERNET SECURITY ARCHITECTURE

The Security Architecture for the Internet Protocol, IPsec, is already defining 
the way organizations and individuals secure their networks. There is no single 
document that describes IPsec, but rather an entire body of work, the Requests 
for Comments (RFC's). This book compiles and organizes these important 
documents in a single printed volume, and adds a glossary and extensive index. 
This means you no longer have to wade through countless RFC's trying to find 
the answer to your IPsec question - all solutions are compiled in a single book, 
with an index that makes them even easier to locate. Every RFC describing an 
aspect of the IPsec standard is included here, as are descriptions of most of 
the cryptographic algorithms used in IPsec.Written by members of the IPsec 
Working Group and other Internet Engineering Task Force members, this is the 
most authoritative IPsec text available.

Book:
< http://www.amazon.com/exec/obidos/ASIN/0124558399/netsecurity >

----------------------------------------------------------------------------

ASP/MTS/ADSI WEB SECURITY

A book/CD-ROM guide for software developers and system architects who are 
building business-critical Web solutions where security is paramount. Explains 
the set of Web technologies from Microsoft, with sections on security 
fundamentals and core technologies, and Web security programming. 
Technologies discussed include Active Server Pages, Microsoft Transaction 
Server, and Active Directory Service Interface. The accompanying CD-ROM 
contains source code for examples and instructions for downloading trial 
versions of software packages.

Book:
< http://www.amazon.com/exec/obidos/ASIN/0130844659/netsecurity >

----------------------------------------------------------------------------

DATABASE NATION : THE DEATH OF PRIVACY IN THE 21ST CENTURY

Forget the common cold for a moment. Instead, consider the rise of "false data 
syndrome," a deceptive method of identification derived from numbers rather 
than more recognizable human traits. Simson Garfinkel couples this idea with 
oncepts like "data shadow" and "datasphere" in Database Nation, offering a 
decidedly unappealing scenario of how we have overlooked privacy with the 
advent of advanced technology. Garfinkel's thoroughly researched and 
example-rich text explores the history of identification procedures; the 
computerization of ID systems; how and where data is collected, tracked, and 
stored; and the laws that protect privacy.

Book:
< http://www.amazon.com/exec/obidos/ASIN/1565926536/netsecurity >

----------------------------------------------------------------------------



Defaced archives
------------------------

[23.07.2000] - Sonlife Ministries
Original: http://www.sonlife.com/
Defaced: http://www.attrition.org/mirror/attrition/2000/07/23/www.sonlife.com/

[24.07.2000] - Intelligent Media
Original: http://www.e-pages.com/
Defaced: http://www.attrition.org/mirror/attrition/2000/07/24/www.e-pages.com/

[24.07.2000] - icehockey.wes.army.mil
Original: http://icehockey.wes.army.mil/
Defaced: http://www.attrition.org/mirror/attrition/2000/07/24/icehockey.wes.army.mil/

[24.07.2000] - Business Software Alliance
Original: http://www.bsa.cz/
Defaced: http://www.attrition.org/mirror/attrition/2000/07/24/www.bsa.cz/

[24.07.2000] - NS BASIC
Original: http://www.nsbasic.com/
Defaced: http://www.attrition.org/mirror/attrition/2000/07/24/www.nsbasic.com/

[25.07.2000] - mnr.gov.ru
Original: http://www.mnr.gov.ru/
Defaced: http://www.attrition.org/mirror/attrition/2000/07/25/www.mnr.gov.ru/

[28.07.2000] - Def Con Web site
Original: http://www.defcon.org/
Defaced: http://www.net-security.org/misc/sites/www.defcon.org/




Questions, contributions, comments or ideas go to:

Help Net Security staff

staff@net-security.org
http://net-security.org


---------------------------------------------------------------------
To unsubscribe, e-mail: news-unsubscribe@net-security.org
For additional commands, e-mail: news-help@net-security.org