|------------------------------------------|
|- Astalavista Group Security Newsletter  -|        
|- Issue 13 31 January 2005               -|
|- http://www.astalavista.com             -|      
|- security@astalavista.net               -|
|------------------------------------------| 

- Table of contents -

[01] Introduction
[02] Security News
        - Classified Dutch military documents found on Kazaa
        - Hacker penetrates T-Mobile systems
        - eBay to drop support for Microsoft's Passport
        - FBI retires its carnivore
        - Microsoft launches anti-spyware beta
        - Panix.com hijack: Aussie firm shoulders blame
        - Veritas CEO Explains Logic Behind Symantec Merger
        - Trojan Exploits Windows DRM 
        - Air Force seeks space router
        - Full disclosure put on trial in France
[03] Astalavista Recommends
        - VoIPong - VOIP Detector and Sniffer
        - Reverse engineering malware - Analysis of the Troj/Winser
        - The scrutinizer toolkit - web servers (D)DoS protection
        - The Future of Free Software Game Development
  - Skeeve - ICMP tunneling tool
        - DMitry - Deepmagic Information Gathering Tool
        - Web Services - Attacks and Defense
        - Attack Tool Kit 4.0
        - CacheDump
        - A Visual Cryptography Digital Image Copyright Protection
[04] Astalavista.net Advanced Member Portal - Last chance to get a lifetime membership!
[05] Site of the month - http://www.slyck.com/
[06] Tool of the month - ZoneMinder - video camera security application
[07] Paper of the month - Bluetooth Enabled Mobile Phones Security and Beyond  
[08] Geeky photo of the month - "The Basement" - these are the geeks
[09] Free Security Consultation
        - I have a problem with spyware in my department..
        - Tell me something more about the possible..
        - Recently we found out that certain users..
[10] Astalavista Security Toolbox DVD v2.0 - what's inside?
[11] Enterprise Security Issues  
        - Biometrics and the obsolence of passwords -
[12] Home Users Security Issues
        - Will my PC ever be secured? Part 2 - basic security concepts
[13] Meet the Security Scene
        - Interview with SnakeByte http://www.snake-basket.de/
[14] Security Sites Review
        - Phreedom.org
        - Vmyths.com
        - Red-Library.com
        - Phoronix.com
        - Undergroundnews.com
[15] Final Words

01. Introduction
   -------------

Hi folks,

Welcome to Astalavista Security Newsletter - Issue 13, the lucky one.

Since we believe more in ourselves than in fate, we've decided that issue
13 should be the longest and most comprehensive one released so far.

Back in 2004, the Astalavista Security Newsletter was initiated with the idea
to spread security knowledge to both novice and advanced users. All we had 
then was the passion to dedicate ourselves to 22,000 subscribers, who wanted
to "know" and explore.

According to our statistics,since the beginning of 2004, we have attracted the
interest of 2000 new members,a great number of  them representing global world 
enterprises and organizations, such as Cisco, Symantec, USAToday, 
The World Bank. Of course, the subscribers' rate is not the most insignificant
factor of success. We set up your comments as the first one. So far we've
received hundreds of feedback messages,which helped us improve our quality
and learn from your valuable advice.

Thank you for being a part of us!

If you would like to share your remarks, recommendations or anything you might
want to say concerning Astalavista.com or our security newsletter,please, 
write to security@astalavista.net

Our "Happy New 2005" greeting message can be found at:

http://www.astalavista.com/index.php?page=108

Astalavista Security Newsletter is mirrored at:

http://www.packetstormsecurity.org/groups/astalavista/

If you want to know more about Astalavista.com, visit the following URL:

http://www.astalavista.com/index.php?page=55

Previous issues of Astalavista Security Newsletter can be found at:

http://www.astalavista.com/index.php?section=newsletter

Enjoy Issue 13!

Editor - Dancho Danchev
dancho@astalavista.net 

Proofreader - Yordanka Ilieva
danny@astalavista.net

02. Security News
   --------------

The Security World is a complex one. Every day a new vulnerability
is found, new tools are released, new measures are
made up and implemented etc. In such a sophisticated Scene we have
decided to provide you with the most striking and up-to-date Security
News during the month, a centralized section that contains our personal
comments on the issues discussed. Your comments and suggestions about
this section are welcome at security@astalavista.net 

   -------------

[ CLASSIFIED DUTCH MILITARY DOCUMENTS FOUND ON P2P NETWORK KAZAA ]

At least 75 pages of highly classified information
about human traffickers from the Dutch Royal Marechaussee - a
service of the Dutch armed forces that is responsible for guarding the
Dutch borders - have been leaked to the controversial weblog Geen Stijl (No
Style). The documents, which contain phone numbers and tapped conversations, were
found unencrypted on a P2P site - possibly Kazaa according to Dutch newspaper
reports. The likeliest explanation for their appearance is that a member of the Dutch
Royal Marechaussee worked on the documents from home and unintentionally shared his
entire hard drive  with the rest of the world.

More information can be found at:

http://www.theregister.co.uk/2005/01/30/dutch_classified_info_found_on_kazaa/

Astalavista's comments:

Although a bit embarrasing, it is highlighted what might eventually
happen if unprotected information goes in the wrong hands, and since
it's already been available on a P2P network,nobody actually knows
how many people have obtained it. Even worse - the investigations might
have to start from the very beginning. Someone definitely has to enforce
defensive measures against storing sensitive data in an unencrypted
form and the use of P2P at computers holding sensitive data.

[ HACKER PENETRATES T-MOBILE SYSTEMS  ]

A "sophisticated" computer hacker had access to servers at wireless giant T-Mobile
for at least a year, which he used to monitor U.S. Secret Service e-mails, obtain
customers' passwords and Social Security numbers, and download candid photos
taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned. 

More information can be found at:

http://securityfocus.com/news/10271

Astalavista's comments:

Indeed, the hacker showed significant knowledge, but it didn't prevent him from
revealing his personality through several serious mistakes - the passion for
fame is among them. How long can you keep your breath and mouth shut
when you can offer reverse lookup for a  t-mobile cell phone? Eventually, you're
turning into a target and you leave a  trace when publicly (at a web forum) 
announcing these "services". Sophisticated hackers don't have problems with their
egos and know what they're up to and they don't make the entire world know
about it when it's so serious that it goes to monitoring the U.S Secret Service.
The only way to know about these things is either to be the one doing it,
to be involved in the group doing it if any, or to come across the news
when it goes live. Just imagine the publicity of this story in terms of
government and corporate espionage! Do you still think having a prepaid
number is a bad idea?

[ EBAY TO DROP SUPPORT FOR MICROSOFT'S PASSPORT ]

Microsoft announced December 30, 2004 that eBay will drop support for its
Passport service, intended to make Microsoft the gatekeeper for web identities,
but that it will continue with Passport despite the loss. eBay said in a message
to users that in late January 2005 it will stop allowing them to sign on to its
marketplace through Passport, which eBay spokesman Hani Durzy said a very 
small percentage of customers utilized.

More information can be found at:

http://www.reuters.com/newsArticle.jhtml?type=technologyNews&storyID=7225469

Astalavista's comments:

A key company finally said "no" to a possible monoculture in the "web identities"
sector, simply because you cannot trust a single company to take care of things it
doesn't have experience with. No matter how visionary its aims or ambitions might be,
the privacy and security issues possed by MS's Passport can result in another company's
loss of customers and reputation, or eventually result in a complete commercialization
of the service.

[ FBI RETIRES ITS CARNIVORE ]

FBI surveillance experts have put their once-controversial Carnivore
Internet surveillance tool out to pasture, preferring instead to use
commercial products to eavesdrop on network traffic, according to 
documents released Friday.

Two reports to Congress obtained by the Washington-based Electronic
Privacy Information Center under the Freedom of Information Act reveal
that the FBI didn't use Carnivore, or its rebranded version "DCS-1000," at
all during the 2002 and 2003 fiscal years. Instead, the bureau turned to
unnamed commercially-available products to conduct Internet surveillance 
thirteen times in criminal investigations in that period. 

More information can be found at:

http://securityfocus.com/news/10307
http://www.astalavista.com/?section=dir&act=dnd&id=2428
http://www.google.com/search?hl=en&lr=&q=echelon

Astalavista's comments:

What does usually happen when you retire? Naturally, someone else replaces you.
Someone who's more trendy, fresh and might even have better capabilities
than you do as in Carnivore's case - Carnivore is a basic sniffer, which is not
enough to maintain and intercept huge flows of intelligence or crime related data.
Recently the U.S and the Australian governments have favoured the use of spyware
in the prosecution of criminal cases etc. Are we soon going to witness the good
guys competing with the bad guys in terms of who has infected more people, or the
complete hijacking of the biggest spyware vendors for intelligence purposes?
But anyway, who's good and bad these days?

[ MICROSOFT LAUNCHES ANTI-SPYWARE BETA ]

Microsoft introduced a beta version of its Windows AntiSpyware application
January 6, 2005. The application, available for download on the company’s website,
was built using technology gained in the December 2004 acquisition of Giant Software.
Microsoft said the software combats many known strains of spyware, and that the company
will continue to research new forms of spyware and offer automatic updates to
address new threats. 

More information can be found at:

http://news.com.com/Microsoft+launches+anti-spyware+beta/2100-1029_3-5514899.html

Astalavista's comments:

Now that's quite hot news discussed over the Internet for the past several weeks.
The security experts blamed Microsoft for the ironocal introduction of
Anti-Spyware BETA, since its MS's products, especially IE, enhanced the development
of the spyware industy at its very beginning. Even worse (but true), MS's
patching efforts usually keep the entire industry in a "good shape". From a
business point of view, Microsoft would have its brand damaged if it hadn't
responded by offering a solution to the problem - in this case it didn't improve the
security of IE, thus pointing out the battle is lost.

[ PANIX.COM HIJACK : AUSSIE FIRM SHOULDERS BLAME ]

An Australian domain registrar has admitted to its part in last weekend's
domain name hijack of a New York ISP. Melbourne IT says it failed to properly
confirm a transfer request for the Panix.com domain. Ed Ravin, a Panix system
administrator, says the Melbourne IT error enabled fraudsters using stolen 
credit cards to assume control of the domain. Thousands of Panix.com customers
lost email access for the duration of the occupation, and many emails will never
be recovered.

More information can be found at:

http://www.theregister.co.uk/2005/01/19/panix_hijack_more/
http://www.icann.org/registrars/accreditation.htm

Astalavista's comments:

Although these attacks have been quite rare lately, the attackers are usually
taking advantage of weak domain registering service.Anyway, a
friend I knew back at school, the last person that has to do anything
with the Internet, is now a domain registerant. It's a kind of worrying me! 

[ VERITAS CEO EXPLAINS LOGIC BEHIND SYMANTEC MERGER ]

Veritas Software CEO Gary Bloom, who's set to become Symantec's vice
chairman after the two companies' merger deal closes, has one eye on the
present and the other on a promising vision of the
future. This week, Veritas launched Backup Exec 10 for
Windows, which allows solution providers to better help customers
handle data management and compliance. In an interview with CRN Editor
In Chief Michael Vizard, Bloom explains the short-term opportunities
around backup for partners and expounds on the factors that drove the
merger with Symantec, where he also will be responsible for
all customer-facing sales activities, including the
channel.

More information can be found at:

http://www.crn.com/sections/breakingnews/breakingnews.jhtml?articleId=57702191

Astalavista's comments:

Although the merger has been somehow criticized by some, like any other
merger it involves its costs and should not be judged by people layed off,
like in Oracle/PeopleSoft's case. Oracle did it to protect their market share.
Combining forces with PeopleSoft it took advantage of the increased
use of open-source and cost effective databases. But Symantec has been
buying startups at an amazing speed - what bothers me is not the speed,
but rather the development of their long-term actual potential, since the majority of
them end up providing an extension to existing products. And since the aquisition
of @stake by Symantec, I've started having concerns about it.

[ TROJAN EXPLOITS WINDOWS DRM ]

Anti-Virus and security vendor Panda Labs is reporting the discovery of a threat
that takes advantage of Windows Digital Rights Management (DRM) (define). 

According to the company's warning, one of two Trojans, Trj/WmvDownloader.A or 
Trj/WmvDownloader.B, could be placed inside Windows Media format (.wmv) video files
by malicious users. It executes when the user opens the files with the latest Windows
Media Player 10 update, which is part of Windows XP SP2. 

More information can be found at:

http://www.internetnews.com/ent-news/article.php/3457451
http://news.zdnet.co.uk/internet/security/0,39020375,39184120,00.htm
http://securityresponse.symantec.com/avcenter/venc/data/trojan.wimad.html
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=57265&sind=0
http://software.silicon.com/malware/0,3800003100,39127210,00.htm

Astalavista's comments:

Ok, we've got an enormous amount of the Internet's traffic used for P2P
transfers and a trojan with the possibility to exploit movie files.
On the other hand we have MS safeguarding its reputation and the usefulness
of Windows XP SP2. First denying that a patch is going to be released at all,
later the usual "MS will release a patch in the next 30" took place. But what
was going around the Internet in terms of infected files during these 30 days? Who
needs a practical and timely security strategy plus a patch management? 
I doubt it's the end user this time...

[ AIR FORCE SEEKS SPACE ROUTER ]

Northrop Grumman and Caspian Networks are collaborating to develop an
Internet Protocol router that can withstand the constant barrage of solar
radiation in orbit. The space-hardened IP router will be part of the Air Force's
Transformational Satellite Communications System, which will provide IP-based
communications to warfighters.

More information can be found at:

http://www.fcw.com/fcw/articles/2005/0110/web-spacerouter-01-14-05.asp

Astalavista's comments:

Welcome to the world of network-centric warfare, the one defined as the most
successful and vital for the modernization of the U.S Army. Check out the
DoD view on the concept:

http://www.dod.mil/nii/NCW/

Can they really deal with the solar radiation? Since Northrop Grumman
is taking care of it, I have a feeling about this one!

[ FULL DISCLOSURE PUT ON TRIAL IN FRANCE ]

The trial of a French security researcher last week has become a cause
celebre. Its outcome will decide if interested parties can "peek under the bonnet"
in testing the road-worthiness of security products without falling foul
of French law.

The case began more than three years ago when Guillaume Tena (AKA Guillermito)
released proof of concept code to highlight security bypass and worm 
evasion flaws in Viguard, an antivirus product, from
French company Tegam. Tena produced exploits showing that Tegam's generic
anti-virus failed to stop "100 per cent of known and unknown viruses" as
claimed. He posted his findings to a French usenet newsgroup in the summer of
2001 before published the research on a website in March 2002.

More information can be found at:

http://www.theregister.co.uk/2005/01/12/full_disclosure_french_trial/

Astalavista's comments:

The highly important trial for the security community
is nothing more than a pissed off company who claims 100% protection
against known and unknown viruses - something I doubt even a market
leader as Symantec would claim, simply because it's not possible. Although I
have some reserves on full disclusure, isn't the ultimate goal to show which
products you can really trust? Those who claim quality and don't actually 
deliver it, and those who are so aware/unaware of how their products work
in order to release a working patch in a timely manner and actually distribute
it to their customers???

03. Astalavista Recommends
   -----------------------

This section is unique with its idea and the information included within.
Its purpose is to provide you with direct links to
various white papers and tools covering many aspects of Information
Security. These white papers are defined as a "must read" for everyone
interested in deepening his/her knowledge in the Security field.
The section will keep on growing with every new issue. Your comments and
suggestions about the section are welcome at security@astalavista.net

" VOIPNG - VOIP DETECTOR AND SNIFFER "

VoIPong is a utility that detects all Voice Over IP calls on a pipeline, and for
those which are G711 encoded, dumps actual conversation to separate wave files. 
It supports SIP, H323, Cisco's Skinny Client Protocol, RTP and RTCP.

http://www.astalavista.com/?section=dir&act=dnd&id=3412

" REVERSE ENGINEERING MALWARE - ANALYSIS OF THE TROJ/WINSER "

A detailed analysis of Troj/Winser, good reading and overview of general
reverse engineering concepts

http://www.astalavista.com/index.php?section=dir&act=dnd&id=3431

" THE SCRUTINIZER TOOLKIT - WEB SERVERS (D)DOS PROTECTION " 

The scrutinizer toolkit is designed to protect Web servers from HTTP
(D)DoS attacks. It is a toolkit consisting of an analysis engine which
analyzes Web server access logfiles in almost real time, an Apache module
which is able to block wrongdoers on the Web server,
an extension to block offenders with netfilter firewalls, and a set of
visualization tools. 

http://www.astalavista.com/?section=dir&act=dnd&id=3438

" THE FUTURE OF FREE SOFTWARE GAME DEVELOPMENT "

Insightful article on what's the possible future of free software development
for games.

http://www.astalavista.com/index.php?section=dir&act=dnd&id=3432

" SKEEVE - ICMP TUNNELING TOOL "

With this Proof Of Concept tool, you can simply create an ICMP tunnel
between two computers, which may be located in different networks and
separated by a firewall. Skeeve utilizes ICMP packets and IP address
spoofing technology to create a data channel in order to redirect TCP
connections inside this channel.

http://www.astalavista.com/?section=dir&act=dnd&id=3467

" DMITRY - DEEPMAGIC INFORMATION GATHERING TOOL "

DMitry (Deepmagic Information Gathering Tool) is a
UNIX/(GNU)Linux Command Line Application coded in C. DMitry has the
ability to gather as much information as possible about a host. Base
functionality is able to gather possible  subdomains, email addresses,
uptime information, tcp port scan, whois lookups, and more. 

http://www.astalavista.com/?section=dir&act=dnd&id=3473

" WEB SERVICES - ATTACKS AND DEFENSE "

Whitepaper discussing the scope of information gathering used against
web services.

http://www.astalavista.com/?section=dir&act=dnd&id=3545

" ATTACK TOOL KIT 4.0 "

The Attack Tool Kit (ATK) is an open-source security scanner and
exploiting framework for Microsoft Windows.

http://www.astalavista.com/index.php?section=dir&act=dnd&id=3449

" CACHEDUMP "

CacheDump is a tool that demonstrates how to recover cache entry 
information: username and hashed password (called MSCASH). 

http://www.astalavista.com/index.php?section=dir&act=dnd&id=3448

" A VISIAL CRYPTOGRAPHY DIGITAL IMAGE COPYRIGHT PROTECTION "

The watermark method is an excellent technique to protect copyright
ownership of a digital image. The proposed watermark method is
build up on the concept of visual cryptography.

http://www.astalavista.com/index.php?section=dir&act=dnd&id=3453

04. Astalavista.net Advanced Member Portal - Last chance to get a lifetime membership!
   ------------------------------------------------------------------------

Last chance to get a lifetime membership, until the end of February there will be no
longer lifetime memberships available, get yours and become part of the community,
not only for the rest of your life, but also in a cost-effective way. Join us!

http://www.astalavista.net/new/join.php

What is Astalavista.net all about?

Astalavista.net is a global and highly respected
Security Portal, offering an enormous database of very well-sorted and
categorized Information Security resources - files, tools, white
papers, e-books and many more. At your disposal are also thousands of
working proxies, wargames servers where you can try your skills and
discuss the alternatives with the rest of the members. 
Most importantly, the daily updates of the portal, makes it a valuable and 
up-to-date resource for all of your computer and network security needs - a lifetime investment.

Among the many other features of the portal are :

- Over 3.5 GByte of Security Related data, daily updates and always 
working links.
- Access to thousands of anonymous proxies from all
over the world, daily updates
- Security Forums Community where thousands of individuals are ready
to share their knowledge and answer your questions; replies are always
received no matter of the question asked.
- Several WarGames servers waiting to be hacked; information between
those interested in this activity is shared through the forums or via
personal messages; a growing archive of white papers containing
info on previous hacks of these servers is available as well.


05. Site of the month
   ------------------

http://www.slyck.com

Slyck.com is a site dedicated to providing its visitors with the latest
P2P news and info

06. Tool of the month
   ------------------

ZoneMinder - video camera security application

ZoneMinder is a set of applications which is intended to provide a complete
solution allowing you to capture, analyse, record and monitor any cameras
you have attached to a Linux based machine.  

http://www.astalavista.com/?section=dir&act=dnd&id=3502

07. Paper of the month
   -------------------

Bluetooth Enabled Mobile Phones Security and Beyond 

Various Bluetooth Security attacks and defenses discussed

http://www.astalavista.com/index.php?section=dir&act=dnd&id=3440

08. Geeky photo of the month - "The Basement" - these are the geeks
   ----------------------------------------------------------------

Every month we receive great submissions to our Geeky
Photos gallery. In this issue we've decided to start featuring the
best ones in terms of uniqueness and IT spirit.

"The Basement" can be found at: 

http://www.astalavista.com/images/gallery/the_basement.jpg

09. Free Security Consultation
   ---------------------------

Have you ever had a Security related question but you weren't sure where
to direct it to? This is what the "Free Security Consultation" section was
created for. Due to the high number of Security-related e-mails we keep
getting on a daily basis, we have decided to initiate a service, free of charge.
Whenever you have a Security related question, you are advised to direct it
to us, and within 48 hours you will receive a qualified response from one
of our Security experts. The questions we consider most interesting and
useful will be published at the section. Neither your e-mail, nor your
name will be disclosed.

Direct all of your Security questions to security@astalavista.net 

Thanks a lot for your interest in this free security
service, we are doing our best to respond as soon as possible and
provide you with an accurate answer to your questions.

---------
Question: I have a problem with spyware in my department. Users, simply
cannot switch their browsers and don't want to use anything else besides IE, what
would you recommend?
---------

Answer: The situation with IE is getting very serious, and almost 99% of all phishing
and malicious attacks rely on IE vulnerabilities because IE is the most popular
browser used by any Internet user. Although you could fight spyware by improving
the security settings of the browsers, trying to keep up to date with freeware
anti-spyware solutions, it wouldn't be enough. Depending on how much you're willing
to invest, I would recommend that you to either enforce them to use another browser
alternative, or use service companies such as http://www.lavasoftusa.com/software/adaware/
or http://www.webroot.com/

Take a look at the following resource regarding
spyware and IE:

http://www.astalavista.com/index.php?section=dir&act=dnd&id=2032
http://www.astalavista.com/index.php?section=dir&act=dnd&id=3186
http://www.astalavista.com/index.php?section=dir&act=dnd&id=2138
http://www.astalavista.com/index.php?section=dir&act=dnd&id=2407
http://www.astalavista.com/index.php?section=dir&act=dnd&id=2406

---------
Question: Tell me something more about the possible secure use and
potential security issues for my company related to usb sticks
and removable media? Thank you!
---------

Answer: USB sticks indeed represent a threat to the confidentiality of your information, since
they give the end user the opportunity to download sensitive information and use it
outside the, at leat thought to be secure, corporate environment. Something else to
consider are the possible piracy implications, or the fact that end users are often
using binaries in order to bypass the installation of certain software. That's pretty
common and works sometimes. Consider enforcing a policy about usb sticks - either block
them completely, or make sure your employees know their usb activities(or any other) 
activities are monitored in coordination with the company's security policy.

----------
Question: Recently we found that certain users have
installed various P2P applications at their work PCs. What should we do?
We are ready take the maximum actions to make sure they don't use them again.
----------

Answer: P2P networks represent a big threat to the company's infrastructure since they
easily bypass certain and often common firewall configurations. The consequences could
be like the ones with which we started this issue's Security News section. Confidental
and sensitive reports leaked out to the entire world, and although it doesn't necessarily
mean to your competitors, it means to users who might be aware of what they've just found. 
Consider blocking P2P traffic, making sure that data confidentiality measures such as encryption
are in place. Make sure that the installation of these should be as prohibited as possible.
P2P at work wastes valuable bandwidth and hides the possibility to share an employee's hard
drive with the entire world - I doubt that's what you want.

Take a look at the following:

http://www.farrokhi.net/blog/archives/000233.html
http://ntrg.cs.tcd.ie/undergrad/4ba2.02-03/p10.html
http://www.isaserver.org/articles/2004blockp2pim.html

10. Astalavista Security Toolbox DVD v2.0 - what's inside?
   -------------------------------------------------------

Astalavista's Security Toolbox DVD v2.0 is considered 
the largest and most comprehensive Information Security archive.
As always, we are committed to providing you with a suitable resource for
all your security  and hacking interests in an interactive way!

The content of the Security Toolbox DVD has been
carefully selected, so that you will only browse through quality
information and tools. No matter whether you are a computer
enthusiast, a computer geek, a newbie looking for information on
"how to hack", or an IT Security professional looking for quality
and up to date information for offline use or just for convenience,
we are sure that you will be satisfied, even delighted by the DVD!

More information about the DVD is available at:

http://www.astalavista.com/index.php?page=3

11. Enterprise Security Issues
   ---------------------------

In today's world of high speed communications, of
companies completely relying on the Internet for conducting business and
increasing profitability, we have decided that there should be a special section
for corporate security, where advanced and highly interesting topics will be
discussed in order to provide that audience with what they are looking for - knowledge! 

- Biometrics and alternative authentication methods - the obsolence of passwords is on its way  - 

What is the cheapest way to authenticate a company's staff these days? You've gussed it
- passwords - we all use them for one reason or another. What we actually don't realize
is that we or our organizations are falling victims in the myth of long passwords with
numbers, capital or lower letters, plus the special characters. This brief article
intends to summarize various security related issues to passwords, their obsolence
and it suggests an alternative biometrics use.

Today's workforce is flooded with passwords to remember, personal emails, online
services, company networks etc., which results in waste of valuable resources
and extensive costs for the help desk since the majority of users often forget
their"too complex to remember" passwords. Even worse, users are often found to trick
the password aging enforced by an organization, or write it down and never take
the effort to actually memorize it.

Why are passwords insecure? Passwords can be guessed, cracked, socially engineered,
sniffed etc., which makes them extremely vulnerable in today's world of E-commerce.
In the next couple of years we would see.

The majority of organizations are slowly adopting various biometrics mechanisms,
where the most popular one is still the fingerprint scan. But, what is it
with biometrics that makes them so reliable? It's the fact that they
cannot be stolen, cannot be lost, and ,of course, cannot be forgotten.
The trade-off between their effectiveness lies in the costs accosiated with 
implementing them, which can be quite significant in a large organization.
Since you need to get a better understanding and be in a possesion of more
resources, the best you could do is to ensure that the access to the most 
critical resources is sefeguarded using biometrics or some kind of physical 
authentication. An alternative for the mobile workforce is the use of encryption
since laptops are often stolen or simply forgotten somewhere with all of their 
sensitive data in plain-text, now how easy is that?

As a relatively cost-effective authentication method can be considered
the so called tokens that represent microprocessors, usually with the size
of a credit card or smaller, whose purpose is to introduce  one-time-passwords
or basic physical authentication.

The following resources are recommended for further reading:

http://www.atstake.com/research/reports/acrobat/rr2001-04.pdf
http://www.cryptocard.com/
http://www.verisign.com/products-services/security-services/unified-authentication/usb-tokens/
http://www.activcard.com/en/products/4_3_3_tokens.php
http://www.rsasecurity.com/node.asp?id=1156
http://www.astalavista.com/?section=dir&act=dnd&id=993
http://biometrics.cse.msu.edu/biometricsgrandchallenge.pdf
http://www.ibia.org/EverythingAboutBiometrics.PDF

12. Home Users' Security Issues
   ----------------------------

Due to the high number of e-mails we keep getting from
novice users, we have decided that it would be a very good idea to
provide them with their very special section, discussing various aspects
of Information Security in an easily understandable way, while, on
the other hand, improve their current level of knowledge.

- Will my PC ever be secured? Part 2 - basic security concepts - 

In the previous issue we covered your OSs "choice", firewalls and spyware. 
Now we're going through spamming, phishing and software/browser vulnerabilities.

How come you get so much spam? It has to do with the way you use the Internet as a
whole. Right now there're probably hundreds of spam crawlers looking for 
mailto:someone@somewhere.com email addresses left around forums or personal
web sites. Whenever you post your email, consider not doing it the way you used to
so far. Instead, post it as someone AT somewhere DOT com or someone@somewhere.com where
the @ is actually a small gif. Something else to consider - never use your personal
email for various mailing lists or registration services. You don't want to have it 
abused and possibly flooded with spam, right? Another concern, when it comes to 
protecting from spyware, have your HTML and remote image loading turned off in your
email client, and make sure you NEVER reply to a spammer or try to remove yourself
from their list, because what you're actually doing in both cases is verifying that
your account is indeed active. Spammers don't know if the account is active or not -
they just came across it and they are doing their best to know if it's a reliable
and working one, or it's a possible spam trap. Although it's getting difficult
for spammers to get our emails, the level of spam is definitely not decreasing.
Who is sending it, you might ask? What was a couple of people using software and
looking for misconfigured mail servers, are now groups using your (infected with malware)
computers and Internet connections to send all that spam.

Recently, phishing attacks and Internet scams emerged and criminals from all over the
world started exploiting people's trust in the Web by even sending them invoices for
porn services while never actually getting back to them. Why is phishing so successful?
Because people trust in their browsers or at least what they see in their URL field. There are
various URL obfuscation techniques such as wwww.bank.com.au instead of www.bank.com,
or even worse - host name obfuscation such as http://5435626735/ while you see visa.com
in your active field. The majority of phishing attacks mainly rely on social engineering
factors(trying to impersonate an organization or a bank, even a donation fund), on the
lack of technical knowledge from the end-user side, on the end user's naivety as a whole,
and on using various browser or email client vulnerabilities. Recently, phishing attacks
started targeting important web sites as well. Events like these can really have the power
to undermine the entire E-commerce.

The AntiPhishing Working Group has extensive information on the latest trends:

http://www.antiphishing.org/

Software and browser vulnerabilities play the most important role in today's world
dominated my huge botnets (thousands of infected computers under the control of a single
individual, group of individuals, or those interested in paying for using them). 
A couple of years ago it was easy to update your software, namely because things
weren't as complex as now. How many Internet related programs are you using these
days, and how many did you use to 2/3 years ago - definitely more. No software
is perfect, and sooner or later bugs are found in both Microsoft and Linux
based products. The question is how fast is a patch distributed, is
it distributed at all, and are YOU actually patching yourself, making sure
your computer is protected from the next attack waiting for you, simply because
of visiting a malicious web site. Let's face it - IE is not a secure browser, or even if
it is, it's the most targeted one. What you could do is switch to a less popular
alternative, thus avoiding the majority of attacks around the Internet.

Consider visiting the following sites to keep yourself
up to date with the latest vulnerabilities, or learn more about spamming,
phishing and Internet Explorer security issues. Stay secure and think twice when it
comes to your $ or identity on the Internet!

http://secunia.com/
http://securiteam.com/
http://www.astalavista.com/index.php?section=dir&act=dnd&id=2377
http://www.astalavista.com/index.php?section=dir&act=dnd&id=3194
http://www.astalavista.com/index.php?section=dir&act=dnd&id=3506
http://www.astalavista.com/index.php?section=dir&act=dnd&id=2886
http://www.astalavista.com/index.php?section=dir&act=dnd&id=2551
http://www.astalavista.com/index.php?section=dir&act=dnd&id=1943
http://www.astalavista.com/index.php?section=dir&act=dnd&id=2005
http://www.astalavista.com/index.php?section=dir&act=dnd&id=2942

13. Meet the Security Scene
   ------------------------

In this section you are going to meet famous people,
security experts and all personalities who in some way
contribute to the growth of the community. We hope that you will enjoy
these interviews and that you will learn a great deal of useful
information through this section. In this issue we have interviewed
SnakeByte (Eric) from http://www.snake-basket.de/

Your comments are welcome at security@astalavista.net 
------------------------------------------------
Interview with SnakeByte (Eric),
http://www.snake-basket.de/

Astalavista : Hi Eric, would you please introduce yourself to our
readers and share your experience in the security scene?

Eric : I am 24 years old, currently studying computer
science in Darmstadt, Germany for quite some time now. I am
mostly a lazy guy, doing whatever I am currently interested in.
My interest in computer security started with viruses ( no, I
never spreaded one ), which were really interesting back then, but nowadays
every worm looks the same;( 

Astalavista : Things have  changed much since the days of Webfringe, Progenic,
BlackCode etc. What do you think are  the main threats to security these days?
Is it our dependece on technologies and the Internet the fact that it's
insecure by design  or you might have something else in mind?

Eric : I think security itself got a lot better since
then but we have more dumb users who work hard to make it worse
now. Most users nowadays get flooded with viruses and just click them,
also the recent rise in phishing attacks - it's not the box
which gets attacked here, it's the user. Security also got a lot more
commercial. 

Astalavista : What is your opinion on today's malware
and virii scene? Do you think that groups such as the infamous A29 have
been gaining too much publicity? What do you think motivates virii
writers and virii groups now in comparison to a couple of
years ago?

Eric : It's 29a :) And they deserve the publicity they
got. They did and are doing some really cool stuff. But
they also were clever enough to be responsible with the stuff
they created. About motivation for virii writers - it's different
for each of them, have to ask them.

But I think there is a new motivation - money.
Nowadays you can get paid for a couple of infected computers,
so spammers can abuse them.

Astalavista : What do you think of Symantec ? Is too much purchasing power 
under one roof going to end up badly,
or eventually the whole industry is going to benefit from their actions?

Eric : Sure monopolies are always bad but we get them
everywhere nowadays. Maybe we need another revolution...

Astalavista : Is the practice of employing teen virii writers
possessing what is thought to be a "know-how" a wise
idea? Or it just promotes lack of law enforcement and creates
ordes of source modifying or real malware coders?

Eric : I dont think it is a wise idea at all, but don't tell my boss ;-)
Whether one has written virii or not should not influence your decision
to you hire him/her. 

Astalavista : Application security has gained much
attention lately. Since you have significant programming experience,
what do you think would be the trends in this field
over the next couple of years, would software be indeed coded more
securely?

Eric : Maybe,if universities started to teach coding
in a secure way instead of teaching us more java bullcrap. But I think
the open source development is indeed helpful there. If you want to
run something like a server, a quick glance at the code will tell you
whether you really want to use this piece or search for another one.

Astalavista : Microsoft and its efforts to fight
spyware has sparckled a huge debate over the Internet. Do you
think it's somehow ironic that MS's IE is the number one reason
for the existence of spyware. Would we see yet another
industry build on MS's insecurities?

Eric : It's the only reasonable way for MS to react.
Heh, they are just a company.

Astalavista : The Googlemania is still pretty hot. Are
you somehow concerned about their one-page privacy policy,
contradictive statements, and the lack of retention policies
given the fact that they process the world's searches in the
most advanced way and the U.S post 9/11 Internet wiretapping
initiatives?

Eric : Yes I am, that's why their only product I use is the 
websearch function. As soon as I find another good website 
like google.

Astalavista: Thanks for your time Eric!

14. Security Sites Review
   ----------------------

The idea of this section is to provide you with reviews
of various highly interesting and useful security or
general  IT related web sites. Before we recommend a site, we
make sure that it provides its  visitors with quality and a
unique content.

-
Phreedom.org
-
http://www.phreedom.org/

Phreedom is Bulgaria's most respected and well known h/c/p/a ezine starting in 1997

-
Vmyths.com
-
http://www.Vmyths.com/

Vmyths.com is a site providing its visitors with virus myths $ hoaxes information

-
Red-Library.com
-
http://red-library.com/

It's indeed red and consists of nice documents archive

-
Phoronix.com
-
http://www.phoronix.com/

Are you a hardware fan? This site is for you

-
Undergroundnews.com
-
http://www.Undergroundnews.com/

The title says all, extensive news on various security or IT topics


15. Final Words
   ------------

Dear subscribers,

Thank you for reading our newsletter, or just your favourite sections. We hope you found
something rare and unique that showed you the security world from a different
perspective - something we try to achieve all the time is namely make a difference,
providing you with quality information .

Many other surprises in terms of design, content and free services
are planned in 2005. Keep the spirit and don't stop exploring! 

Editor - Dancho Danchev
dancho@astalavista.net

Proofreader - Yordanka Ilieva
danny@astalavista.net