|------------------------------------------|
|- Astalavista Group Security Newsletter  -|        
|- Issue 14 09 March 2005                 -|
|- http://www.astalavista.com/            -|      
|- security@astalavista.net               -|
|------------------------------------------| 

- Table of contents -

[01] Introduction
[02] Security News
        - Lawyers form group to aid open source code writers 
        - MSN Belgium to use eID cards for online checking
        - T-Mobile hacker pleads guilty
        - SUSE Linux wins Common Criteria certification
        - Microsoft denies blackmail accusations
        - AOL man pleads guilty to selling 92m email addies
        - Symantec hit by large-scale flaw
        - Complaint dropped against DDoS mafia
        - Hackers see 3G as prize target
        - Gartner slams Microsoft's lack of a security strategy
[03] Astalavista Recommends
        - Computer Languages History
        - Fight Chaos IRC Game
        - Wiretapping the Internet
        - Penetration Testing IPsec VPNs
        - RegistryProt 2.0
        - The Art of Computer Virus Research And Defense
        - fl0w-s33ker.pl - Overflow tracker + debugger
        - The C Code Analyzer (CCA)
        - Hold Your Sessions: An Attack on Java Session-id Generation
        - SpoofStick IE
[04] Astalavista.net Advanced Member Portal - Last chance to get a lifetime membership!
[05] Site of the month - http://www.linuxlinks.com/
[06] Tool of the month - The "Google Hack" Honeypot
[07] Paper of the month - Why Open Source Software / Free Software ?
[08] Geeky photo of the month - "Richie Rich" -
[09] Free Security Consultation
        - Correct me if I'm wrong but as far as FireFox is concerned..
        - During the last couple of years me as everyone else.. 
        - Did the FBI really..
[10] Astalavista Security Toolbox DVD v2.0 - what's inside?
[11] Enterprise Security Issues  
        - Malware and our organization - what are we missing?
[12] Home Users Security Issues
        - 2005 - are we heading straight to 1984? 
[13] Meet the Security Scene
        - Interview with Björn Andreasson, http://www.warindustries.com/
[14] Security Sites Review
        - Bleedingsnort.com
        - Benedelman.org
        - Majorgeeks.com
        - Networksecuritytech.com
        - Blackhat.be
[15] Final Words

01. Introduction
   -------------

Hi folks,

Welcome to Astalavista Security Newsletter - Issue 14.

Astalavista.com has attracted quite a lot of attention recently,
the Worm.Ahker family restricted access to our
site - nice to see it mentioned at the top with the fbi.gov and
a couple of others left behind.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AHKER.B&VSect=T#

During the month, we extended our affiliates network with
websites such as SecurityDocs.com - a security white-paper directory,
MegaSecurity.org - one of the few trojans' information databases left
online, NovaStream.org - an online radio and WarIndustries.com - a site
that's been around since 1998. It is great that someone's still keeping it up.

We also added a new "Astalavista Top 20 Featured Papers" section,
right next to our "Astalavista Top 20 Featured Tools". These would
be updated on a monthly basis with the idea to help you find worthy tools and reading 
materials.

Several more security related and weekly updated sections are to come at 
Astalavista.com, so stay tuned!

In Issue 14, you'll read an interview with Björn Andreasson, the person behind
WarIndustries.com. You'll find out what happened around the industry 
during February, and you can go through our "Malware and our organization - what
are we missing?" - an article discussing various malicious software protection
measures from an organization's point of view and  "2005 - are we heading straight
to 1984?" - a privacy-awareness oriented article explaining various issues on the topic.

All issues of our newsletter will also be available in both TXT and HTML
within the next two weeks. As always, the choice is yours!

Enjoy Issue 14, and thanks for staying with us!

Astalavista Security Newsletter is mirrored at:

http://www.packetstormsecurity.org/groups/astalavista/
http://www.securitydocs.com/astalavista_newsletter/

If you want to know more about Astalavista.com, visit the following URL:

http://www.astalavista.com/index.php?page=55

Previous issues of Astalavista Security Newsletter can be found at:

http://www.astalavista.com/index.php?section=newsletter

Yours truly,

Editor - Dancho Danchev
dancho@astalavista.net 

Proofreader - Yordanka Ilieva
danny@astalavista.net

02. Security News
   --------------

The Security World is a complex one. Every day a new vulnerability
is found, new tools are released, new measures are
made up and implemented etc. In such a sophisticated Scene we have
decided to provide you with the most striking and up-to-date Security
News during the month, a centralized section that contains our personal
comments on the issues discussed. Your comments and suggestions about
this section are welcome at security@astalavista.net 

   -------------

[ LAWYERS FORM GROUP TO AID OPEN SOURCE CODE WRITERS ]

A non-profit group of lawyers have formed the Software Freedom Law Center
to provide legal services to the open source community. The SFLC, formed 
with more than $4 million donated by Open Source Development Labs, will
provide legal services to non-profit open source software projects and
developers, giving advice and litigation support on issues such as licenses,
patents, copyrights, and intellectual property law. Eben Moglen, an expert
on international software copyright law and founder of the center, says he
expects as much as $12 million in additional support within the next five
years from sellers and large open source software customers, and anticipates
the center growing to a staff of 15 attorneys.

More information can be found at :

http://technews.orb6.com/stories/sv/20050201/lawyersformgrouptoaidopensourcecodewriters.php

Astalavista's comments:

Nice one, given last month's trial in France, where the French 
company Tegam was suing Guillaume Tena for releasing proof of concept
code to highlight security bypass and worm evasion flaws in Viguard - 
the company's antivirus product. But take into account the following - the researcher
didn't have malicious intentions. He could have kept his anonymity prior
to the release of the code and he could have caused much serious damage
to the company, which took it personally, an action condemned by the majority
of respected sites and security reseachers, with a reason.

Is it a good idea to find security holes anyway?

Check out the following paper as it has very good insights on the topic :

http://www.astalavista.com/media/files/rescorla.pdf

[ MSN BELGIUM TO USE EID CARDS FOR ONLINE CHECKING ]

Microsoft's Bill Gates and Belgian State Secretary for e-government
Peter Vanvelthoven announced February 1, 2005 that they are working 
together to ensure support for the Electronic Identity Card (e-ID) 
standard. The e-ID cards contain an electronic chip  and will replace
the existing ID card system in Belgium, with over 3 million to be 
distributed by the end of 2005. Microsoft plans to combine the eID
Card with its MSN Messenger chatrooms to improve safety, as users
would have a trustworthy way of identifying themselves online, 
allowing the Belgian Federal Computer Crime Unit (FCCU) to limit
access for young children.

More information can be found at :

http://www.theregister.co.uk/2005/02/01/msn_belgium_id_cards/

Astalavista's comments:

"Working together" doesn't necessarily mean "soon to be implemented".
Imagine yourself in a situation with an e-ID card for MSN when it comes
to your privacy. Certain governments who recently 
started evolving and placing E in front of government are still 
unaware of many of the practical and social implications that their 
actions might cause. Don't fall victim of the thought to be part of socially
oriented campaigns where the ultimate goal is to know who's who on
MSN in the most convinient way ever. Meanwhile, young childer will
always find ways to bypass these protections the way they bypass
the "SafeSearch" feature by being the fist-comer of a public
or someone else's computer.

[ T-MOBILE HACKER PLEADS GUILTY ]

A sophisticated computer hacker who penetrated servers at wireless
giant T-Mobile pleaded guilty Tuesday to a single felony charge of
intentionally accessing a protected computer and recklessly causing
damage. 

Nicolas Jacobsen, 22, entered the guilty plea as part of a sealed
plea agreement with the government, says prosecutor Wesley Hsu, 
who declined to provide details. The prosecution, first reported
by SecurityFocus last month, has been handled with unusual secrecy
from the start, and a source close to the case said in January that
the government was courting Jacobsen as a potential undercover informant. 

Before his arrest last October, Jacobsen used his access to a 
T-Mobile database to obtain customer passwords and Social Security
numbers, and to monitor a U.S. Secret Service cyber crime agent's 
e-mail, according to government court filings in the case. Sources
say the hacker was also able to download candid photos taken by 
Sidekick users, including Hollywood celebrities, which were shared
within the hacking community. 

More information can be found at :

http://www.securityfocus.com/news/10516
http://www.securityfocus.com/news/10271

Astalavista's comments:

The T-Mobile hacker rocks my world this month, bearing in mind that
the candid photos "shared within the hacking community" are now 
publicly available over the Internet, and some are a way too personal
and...naked of course. What is to highlight in this case is his age,
the fact that he had been under cover for one year by the time he started
advertising the services available; and, as  always, it would be just
a couple of people (no, not the prosecutors) knowing how much sensitive
information has actually been intercepted. T-Mobile definitely have
a PR disaster on its way, let's not mention the lack of confidence in their 
ability to provide reliable but secure services.

[ SUSE LINUX WINS COMMON CRITERIA CERTIFICATION ]

Novell's SuSE Linux Enterprise Server 9 running on IBM's eServer
has won CAPP/EAL4+ (Controlled Access Protection Profile,
Evaluation Assuarance Level) under the Common Criteria. It is the
first time a Linux distribution has won a Level 4 evaluation.
RedHat Linus is currently undergoig testing for Level 4, while
Microsoft's Windows 2000 won Level 4 in 2002.

More information can be found at :

http://www.gcn.com/vol1_no1/daily-updates/35119-1.html

Astalavista's comments : 

I especially enjoy the way Novell started catching up in the latest
years, especially with their new open-source philosophy, even with an
emphasis on security. I'm more than impatient to see what new is to come.

Listen to the following 30MB mp3 directly from Novell's point of view :

http://www.astalavista.com/?section=dir&act=dnd&id=3695

[ MICROSOFT DENIES BLACKMAIL ACCUSATIONS ]

Microsoft has denied reports published in a Danish financial
newspaper that chairman Bill Gates told Prime Minister
Anders Fogh Rasmussen that his company would move 800 jobs from
Denmark to the United States if the country did not support the
European Union's Computer Implemented Inventions Directive
(CIID). 

This is not the first allegation of technology
companies attempting to influence EU policy; in January 2005, the
Polish Gazeta Wyborcza reported that subsidiaries of Siemens,
Nokia, Philips, Ericsson and Alcatel sent a letter to the Polish
prime minister outlining concerns about the patent directive and
implying that they would reconsider their investments in the
country if Poland continued to oppose the directive.

More information can be found at :

http://news.zdnet.co.uk/business/legal/0,39020651,39187947,00.htm

Astalavista's comments : 

Just a comment - you want them to confirm?! I wouldn't like to be an
MS employee lossing his/her job in an open-source world anyway, and
although it's a very sensitive topic, it's all about votes at the bottom
line. Imagine a country in a coordinated push by major companies like
the ones mentioned. They don't want to lose them as investors in the 
country, namely people getting fired or not employed at all. 

Take your time and read the following comprehensive paper if you want
to know more on the topic :

http://www.astalavista.com/?section=dir&act=dnd&id=3577

[ AOL MAN PLEADS GUILTY TO SELLING 92M EMAIL ADDIES ]

An ex-AOL employee has pleaded guilty to stealing 92m customer 
names and email addresses from the ISP's database. The 24-year old, 
Jason Smathers, sold the email addresses for $28,000. Smathers 
sold the names to Sean Dunaway who used the names to promote his
offshore gambling site before selling them on to other spammers. 

More information is available at :

http://www.theregister.co.uk/2005/02/07/aol_email_theft/

Astalavista's comments :

You don't need spam crawlers anymore but just an average secretary
having access to a Fortune 500 companies' client list and contact
details in order to be productive. Sounds familiar? For me insiders
still represent one of the most serious and unsolved security issues
ever. How can 24 years old Johny be productive when you prevent him
from doing his job? Simple, who says Johny needs access to such a sensitive
database, who says Johny, still 24, probably an intern or who's been with
the company since 2003, is a trusted employee, and what is a
trusted employee anyway? Quite an open topic!

A couple of useful papers discussing the insider issue can be found at :

http://www.astalavista.com/?section=dir&act=dnd&id=192
http://www.astalavista.com/?section=dir&act=dnd&id=2704
http://www.astalavista.com/?section=dir&act=dnd&id=3547
http://www.astalavista.com/?section=dir&act=dnd&id=3369

[ SYMANTEC HIT BY LARGE-SCALE FLAW ]

According to security rival ISS, which unearthed the vulnerability,
the problem lies with the DEC2EXE module in the Symantec Anti-Virus 
Library, a part of the virus detection engine that makes it possible
to detect malware inside executable files compressed using the 
freeware UPX (Ultimate Packer for eXecuteables) format. 

More information can be found at :

http://www.computerworld.com/securitytopics/security/holes/story/0,10801,99629,00.html

Astalavista's comments :

No one is invincible, even Symantec - the industry's leading 
computer and network security provider. Symantec has been on the scene
for quite a long time and when it comes to reliability my 
opinion is that they know what they're up to, proactively. Thankfully, it was
security rival ISS to come up with this highly critical vulnerability and
not l33th4x0r at hotmail dot com, while this opens up another topic - the
one about ethics. Quite a good example that rivals are actively "working" on
each other's products.

[ COMPLAINT DROPPED AGAINST DDOS MAFIA ]

Federal authorities in Los Angeles have dismissed a criminal complaint
filed last August against four men accused of performing DDoS attacks for hire.

More information can be found at :

http://www.oreillynet.com/lpt/a/5609

Astalavista's comments :

Do the Federal authorities actually realize the impact of this dismissal
as an incentive for other people to perform DDoS for hire? I doubt so,
it will take a while before certain laws and their actual enforcement 
matures enough so it will be actually enforced. As it usually takes quite
a lot of resources to prevent, block and, most importantly, trace the people
behind these attacks, I'm sure quite a lot of technical experts and law 
enforcement agents are a bit pissed off at the decision. What about
the victim itself?

[ HACKERS SEE 3G AS PRIZE TARGET ]

Despite more paranoia and stiffer security than ever, IP-based 
telecommunications servers are fast becoming the new 'holy grail' for
the black hat hacking community, with a highly embarrassing intrusion
at US based carrier T-Mobile the latest ugly incident. 

According to evidence tendered before a grand jury in California, Nicholas 
Jacobsen is alleged to have compromised T-Mobile's internal computer
systems in 2003 and gained access to sensitive details on 400 customers
including sensitive information from the US Secret Service. 

More information can be found at :

http://www.computerworld.com.au/index.php/id;1170957987;relcomp;1

Astalavista's comments :

Although IP based telecommunications servers are indeed a gold mine,
crackers see every single networked system out there as a target. But 
when it comes to major communications providers, even financial institutions,
those concerned about espionage government should give a hand, or enforce
higher levels of security for systems processing such sensitive information.
Anyway, my mailserver processes sensitive information, I might be 
corresponding with a U.S Secret Service agent in plain-text. We might
be even exchanging personal photos(no steganography here), and the whole
process goes through yet another mail server out there, again in plain-text.
The bigger the traffic load on the server, the higher the chance you'll( sooner
or later) spot either a celebrity or an about to be a naked celebrity :) Huge
embarrassment for T-Mobile and the people exposed. Actually have you ever
thought that something like this could happen to you? Keep on reading :

http://www.wired.com/news/privacy/0,1848,66735,00.html

[ GARTNER SLAMS MICROSOFT'S LACK OF A SECURITY STRATEGY ]

Gartner researcher Neil MacDonald argues that Microsoft's
Trustworthy Computing Initiative should focus on strengthening
Windows so it no longer needs antivirus rather than competing
with established antivirus vendors. Mr. MacDonald also criticizes
Microsoft's decision to create Internet Explorer only for Windows
XP as an attempt to compel Windows 2000 users to upgrade.

More information can be found at :

http://www.zdnet.com.au/news/security/0,2000061744,39181686,00.htm

Astalavista's comments :

Microsoft is actively trying to establish itself as a challenger for
the anti-virus industry and the anti-spyware one, not by working on reliable
practices on how to improve the overall security of its software, but by
directly competing with already established companies. Don't get me wrong,
the more competition the better the outcome, but in this situation MS's
advantages are the reputation they establish instead of admitting the
uncountable number of holes in each of their products and that they
don't have a reliable, proactive strategy on these. But the end users'
disadvantages start from actually trusting a built-in (watch out and see)
recently born anti-virus solution or even a spyware one (detecting Firefox
as spyware). That's not to be trusted at all, as always it's a matter of
convinience = insecurity.

03. Astalavista Recommends
   -----------------------

This section is unique with its idea and the information included within.
Its purpose is to provide you with direct links to
various white papers and tools covering many aspects of Information
Security. These white papers are defined as a "must read" for everyone
interested in deepening his/her knowledge in the Security field.
The section will keep on growing with every new issue. Your comments and
suggestions about the section are welcome at security@astalavista.net

" COMPUTER LANGUAGES HISTORY "

A tree representing the history of computer languages.

http://www.astalavista.com/?section=dir&act=dnd&id=3570

" FIGHT CHAOS IRC GAME "

Fight Chaos IRC Game is a virtual one-to-one fighting and character
improving environment controlled by FCBot in an IRC channel. 
Nice work OkIDaN!

http://www.astalavista.com/?section=dir&act=dnd&id=3595

" WIRETAPPING THE INTERNET "

This paper describes the Advanced Packet Vault, a technology for
creating such a record by collecting and securely storing all 
packets observed on a network, with scalable architecture intended
to support network speeds in excess of 100 Mbps.

http://www.astalavista.com/?section=dir&act=dnd&id=3601

" PENETRATION TESTING IPSEC VPNS "

This article discusses a methodology to assess the security posture of an 
organization's Ipsec based VPN architecture. 

http://www.astalavista.com/?section=dir&act=dnd&id=3620

" REGISTRYPROT 2.0 "

RegistryProt is a 100% free, standalone, compact, low-level realtime
registry monitor and protector, that adds another dimension to 
Windows security and intrusion detection.

http://www.astalavista.com/?section=dir&act=dnd&id=3630

" THE ART OF COMPUTER VIRUS RESEARCH AND DEFENSE "

This chapter discusses the generic (or at least "typical") structure
of advanced computer worms and the common strategies that computer
worms use to invade new target systems.

http://www.astalavista.com/?section=dir&act=dnd&id=3628

" FL0W-S33KER.PL - OVERFLOW TRACKER + DEBUGGER  "  

Simple tool for tracking overflow. It uses GDB calls to get regiters
addresses at  overflow time.

http://www.astalavista.com/?section=dir&act=dnd&id=3587

" THE C CODE ANALYZER (CCA)  "

The C Code Analyzer (CCA) is a static analysis tool for detecting
potential security problems in C source code.

http://www.astalavista.com/?section=dir&act=dnd&id=3558

" HOLD YOUR SESSIONS : AN ATTACK ON JAVA SESSION-ID GENERATION "

HTTP session-id s take an important role in almost any web site today.
This paper presents a cryptanalysis of Java Servlet 128-bit session-id s 
and an efficient practical prediction algorithm.

http://www.astalavista.com/?section=dir&act=dnd&id=3643

" SPOOFSTICK IE  " 

What is SpoofStick? SpoofStick is a simple browser extension that helps
users detect spoofed (fake) websites.

http://www.astalavista.com/?section=dir&act=dnd&id=3653

04. Astalavista.net Advanced Member Portal - Last chance to get a lifetime membership!
   ------------------------------------------------------------------------

Last chance to get a lifetime membership - until the end of March 
there will be no longer lifetime memberships available. Get yours
and become part of the community, not only for the rest of your life,
but also in a cost-effective way. Join us!

http://www.astalavista.net/new/join.php

What is Astalavista.net all about?

Astalavista.net is a global and highly respected
Security Portal, offering an enormous database of very well-sorted
and categorized Information Security resources - files, tools, white
papers, e-books and many more. At your disposal are also thousands of
working proxies, wargames servers where you can try your skills and
discuss the alternatives with the rest of the members. 
Most importantly, the daily updates of the portal make it a valuable
and up-to-date resource for all of your computer and network security
needs. This is a lifetime investment.

Among the many other features of the portal are :

- Over 3.5 GByte of Security Related data, daily updates and always 
working links.
- Access to thousands of anonymous proxies from all
over the world, daily updates
- Security Forums Community where thousands of individuals are ready
to share their knowledge and answer your questions; replies are always
received no matter of the question asked.
- Several WarGames servers waiting to be hacked; information between
those interested in this activity is shared through the forums or via
personal messages; a growing archive of white papers containing
info on previous hacks of these servers is available as well.

05. Site of the month
   ------------------

http://www.linuxlinks.com/

Think Linux!

06. Tool of the month
   ------------------

The "Google Hack" Honeypot

GHH is the reaction to a new type of malicious web traffic: search
engine hackers. GHH is a “Google Hack” honeypot. It is designed to
provide reconaissance against attackers that use search engines as
a hacking tool against your resources. GHH implements honeypot
theory to provide additional security to your web presence. 

http://www.astalavista.com/?section=dir&act=dnd&id=3640

07. Paper of the month
   -------------------

Why Open Source Software / Free Software ?

A must read!

http://www.astalavista.com/?section=dir&act=dnd&id=3577

08. Geeky photo of the month - "Richie Rich"
   -----------------------------------------------------

Every month we receive great submissions to our Geeky
Photos gallery. In this issue we've decided to start featuring the
best ones in terms of uniqueness and IT spirit.

"Richie Rich" can be found at: 

http://www.astalavista.com/images/content/richnerdpc.jpg

09. Free Security Consultation
   ---------------------------

Have you ever had a Security related question but you weren't sure where
to direct it to? This is what the "Free Security Consultation" section was
created for. Due to the high number of Security-related e-mails we keep
getting on a daily basis, we have decided to initiate a service, free of charge.
Whenever you have a Security related question, you are advised to direct it
to us, and within 48 hours you will receive a qualified response from one
of our Security experts. The questions we consider most interesting and
useful will be published at the section. Neither your e-mail, nor your
name will be disclosed.

Direct all of your Security questions to security@astalavista.net 

Thanks a lot for your interest in this free security
service, we are doing our best to respond as soon as possible and
provide you with an accurate answer to your questions.

---------
Question: Hi, Astalavista folks. Superb newsletter! I wanted to ask
you something concerning the recent IE dumping initiatives and the
popularity that, at least what the analysts say, FireFox is getting.
Correct me if I'm wrong but as far as FireFox is concerned, prior
to all these campaigns, I've started seeing
---------

Answer: Thanks! At Astalavista we have also been actively involved in these
campaigns promoting that you'd better switch to a more secure browser
alternative like FireFox than Internet Explorer, but in the short-term.
In the long-term, as you've already started seeing, FireFox is also
starting to become a target of both malicious attackers and security
researchers. There's no simple answer on which one is more secure, but
FireFox is a way too reliable compared to IE, reffered as the
Swiss Cheese in the software world; and it's because of the fact that
it's targeted a lot, some bugs are too weak to be true
given the reputation MS is trying to establish. FireFox bugs also get
fixed much quicker than IE ones - something that plays an important role.
And you wouldn't be actually stuck waiting for mighty MS to release
a patch. But in the long-term, I'm sure you'll start using a browser
you've never thought you're about to use these days.

---------
Question: Hi guys! I've been visting your site since its early days and
it has always been a great resource to me. During the last couple of years
me and I guess everyone taking a look at statistics, have seen an enormous
increase in the levels of (reported) intrusions, as well as the 
recent years' flood of worms. Is it getting worse on the security front
or it's just my impression?
---------

Answer: Basically, these are just a few of the effects of globalization.
Every year there are millions of people in different countries
joining the Internet. Then everything begins from the very beginning - people
get interested in hacking. Some start to enjoy it and decide to practise it
for the rest of their lifes, while others start emphasizing on security. 
Take a look at the great number of vulnerabilities reported - we've seen various
contributions 
from software vulnerability researchers from all
over the world. More and more people start realizing that, indeed, their
programming skills can also be used for software vulnerabilities discovery.
Another aspect I can mention is the increased bandwidth a single end user
has at his/her disposal these days. With such a high speed it takes less
than a couple of hundred zombie PCs to shut down a small network, and although
end users can't live with their high-speed connections, they should, at least,
start securing them for the sake of not being part of another worldwide
DDoS attack.

----------
Question: I hate feeling that I'm watched. I was recently reading a couple
of news stories and I was wondering what do you think - did the FBI really
shut down their Carnivore system, and why, so they can start using Google? 
----------

Answer: Some may call you a "privacy extremist", but I'll call you a concerned
citizen asking the right questions, especially about Google. We get
privacy related questions all the time, and we've started getting them prior to
building awareness about the issue in terms of documents and tools on how to
react on the problem at Astalavista's web site. I believe that the FBI indeed 
retired their Carnivore program simply because it wasn't suitable enough to 
handle the enormous loads of traffic I've mentioned in the answer above, plus
the increased use of VoIP technologies, which is something the U.S government
(and others of course) are actively trying to get their hands on these days. 
Total Information Awareness and other programs whose names we'll find out in 
the years to come are definitely on the look for potential terrorists, and
whatever the people behind the program define as a potentially dangerous 
individual. Google is still keeping it pretty quiet, but isn't that what
intelligence is all about?

10. Astalavista Security Toolbox DVD v2.0 - what's inside?
   -------------------------------------------------------

Astalavista's Security Toolbox DVD v2.0 is considered 
the largest and most comprehensive Information Security archive available offline.
As always, we are committed to providing you with a suitable resource for
all your security  and hacking interests in an interactive way!

The content of the Security Toolbox DVD has been
carefully selected, so that you will only browse through quality
information and tools. No matter whether you are a computer
enthusiast, a computer geek, a newbie looking for information on
"how to hack", or an IT Security professional looking for quality
and up to date information for offline use or just for convenience,
we are sure that you will be satisfied, even delighted by the DVD!

More information about the DVD is available at:

http://www.astalavista.com/index.php?page=3

11. Enterprise Security Issues
   ---------------------------

In today's world of high speed communications, of
companies completely relying on the Internet for conducting 
business and increasing profitability, we have decided that there
should be a special section for corporate security, where advanced
and highly interesting topics will be discussed in order to provide
that audience with what they are looking for - knowledge! 

- Malware and our organization - what are we missing?  - 

Malware that used to be script kiddies' or newbies' best friends a couple
of years ago are now fast-spreading, vulnerability exploiting or mass
mailing worms, scanning each and every computer out there with the
ultimate goal to get it infected and keep disseminating themselves.

The purpose of this article is to briefly summarize various issues
related to an organization's response to the growing and changing 
trends on the malware scene. Hopefully, it would give more insights
of the managerial teams behind it, where the ultimate goal would
be meeting tight budgets and significantly limiting the malware entering
the organization's network.
---

How do organizations fight malware these days? Naturally, server and desktop
anti-virus solutions are concerned, while the more adaptive companies go
beyond and even implement IDSs or innovative managerial strategies to deal
with the problem. Where are you as an organization or business entity in
this process?

Anti-Virus scanners are indeed a must-have both for a multibilion
organization and for the average Internet user who wants to take
advantage of Internet downloads and visiting web sites. However,
there's a common myth that's obviously not actively advertised, namely
that server or desktop anti-virus scanners need to be regularly updated
and that they cannot detect the malware I just came up a couple of hours
ago, targeting especially your organization's structure or the vulnerable
part of the - your staff members, the several unpatched machines left 
around, or everyone somehow connecting to your network to do their job.

Even major Fortune 100 companies suffer from virus attacks, data 
disruption and business processes delays, which can be pretty costly 
sometimes. There's something else to point out here - it's the 
productivity of your work force, the so called mobile users, your B2B 
partners, and everyone somehow having access to your external/internal
network. That productivity leads to many and various potential malware
infections, dissemination techniques and often underestimated entry 
points in your organization.

Businesses don't care about different anti-virus evasion techniques. They
care about the continuity of the business process while taking advantage
of the latest IT and E-business innovations. Namely they want a clear ROI,
something that cannot be really measured although there've been quite a 
lot of ROSI(Return on Security Investment) researches lately. On the other
hand, security staff professionals are having hard time trying to justify yet
another complicated security budget, using desperate stategies such as
cyberterrorism (terribly wrong) in order to persuade the management.

That is why the majority of organizations go for companies that provide
100% security(you wish!), making it even worse, simply because you cannot
achieve 100%, no matter what. Live with that and try to achive the ultimate
99%! The 1% left is the uncertainty you work with while making each  of your 
investments. So what to do about it? Make sure your 
security professionals have or at least gain basic knowledge of today's
business processes, so that they would try to be more adaptive before 
recommending the next couple of thousands commercial IDS solutions. 
When it comes to creativity and enterprise wide malware protection,
they're the ones you should be asking about advice, and not a company's
sales representative. Basically, they're your consultants, aren't they?

A reliable security strategy consists of both technical and human related 
security measures that are reviewed every month to ensure they
meet today's changing malware and security trends. Although your 
organization is still in between kids experiementing and launching worms
in the wild, the majority of serious malware is dominated by today's crime
rings both offline and online. Rethink your strategies starting with the
following :

Who's our weakest link?

Don't think that end users' education reffers to everyone. The way there're 
different types of malware, there are also different types of individuals,
joining the company at different times, having varying levels of 
computer and security knowledge. What is to note is that they will
probably get e newly created mailbox, yet another entry point. 
You might have Denise, an active Internet user for the past 5/6 years.
She's seen a lot,she has experienced several HDD crashes, virus infections;she
has even had her Internet connection upgraded a couple of times. On the
other hand, you have Johny, who's nothing more than an active chatter
and Googler. Namely he's used to taking advantage of ADSL, streaming media
and the rest of the goodies, while he still takes every email
(spam,malware,phishing) he receives personally. He doesn't use SSL so he can
login as fast as possible and still think "I have nothing of value to 
hackers". The differences in these individuals require different 
approaches for their education. The "new-comer" is usually exposed
to the entire multitude of today's worms, while the old user would definitely
spot the most obvious ones. A newly created mailbox caught by a malware or
a spammer is going to be "treated" in a very different way compared to
these they already have somewhere in their databases. Age-old malware
techniques still find ways to target especially the fresh mailboxes. 
Password-protected zip files represent a threat to any organization, why?
Because they cannot be scanned. I especially "enjoyed" a recent password
protected 0-day malware I got and the fact that the author made sure 
the password is secure enough to be bruteforced even for a .zip archive.
Know who's aware and who's not, measure, implement and then evaluate and make
changes to you educational approach. A great deal of recent and past
viruse screenshots can be found at the following URL courtesy of F-Secure.
These could be very handy when presenting different types of malware
in your security awareness course and aiming to show some real-life
images of a specific malware :

http://www.astalavista.com/?section=dir&act=dnd&id=3748

Early Warning Systems

EWSs doesn't have to mean purchasing a worms' catching or vulnerabilities'
updated databases. These might actually be regularly updated by some
of the product vendors for your current solutions. The best EWS happens
to be again your security professionals. Waiting for a patch
to be released and having even a couple of systems unpatched, combined with 
today's ultra fast spreading malware, will result in the worms finding them by
the time you manage to scan your entire infrastructure. Don't let yourself be
stuck by the time your vendor updates signatures or vulnerabilities database
and don't get fooled by services offering you such services. It's all a matter
of vigilance, and if well motivated and financially supported, your workforce
could implement a very handy in-house EWS. Do you want to know who's attacking you? 
Although this might seems a bit of an obvious question, it should be noted 
that attackers definitely don't use their own hosts to dirrectly attack yours.
Namely, all you'll end up having is information and whose network out there is
most insecure and has worms infected pcs, and which country is most actively
contributing to the dissemination of malware.

Consider Microsoft's recent confirmation that the patch released two
months ago addressing Windows Media Player's .wmp files files vulnerability
to spread malware  is NOT working.

http://www.eweek.com/article2/0,1759,1771220,00.asp?kc=EWRSS03129TX1K0000614

There're often situations where a very practical non patch and not commercial
solution is just around the corner. Using freeware tools, Internet communities'
distributed IDSs and spyware monitoring web sites, plus a couple of file
types extensions tweaks and in-house spam filtering techniques  will reduce,
if not completely eliminate, 98% of all known malware. The rest should be dealt
with by looking for patterns, and responding to an ongoing threat on a
network-wide basis. Namely assure that every pc connected to the network
is secure by default.

Internal trends analysis

Knowing how your users use your network, which are the most visited web sites, most
received and sent file types will definitely assist you when working out the
network(firewalls, ACLs) and human-based security measures to be implemented.
Based on the information known, static, both host and ip based lists of trusted
web sites like cnn.com, finance.yahoo.com etc could be build up, while blocking
Active Content on the majority of unknown or considered untrusted web sites. 
Although this topic is out of reach for the purpose of this article, we always
assume that cnn.com and finance.yahoo.com could never spread malicious content,
but that Geocities and other non-resolvable web sites represent a threat to the
company, as well as that our DNS infrastructure is working perfectly fine. 
The more you know about your work force's habits, the easier it would be for you
to tailor the company's malware policy towards them.

This article briefly provided a company's management with various
insights on how to improve their current malware strategies. Hopefully,
it will be taken into account while making security investments, approving
security budgets and providing security staff members with incentives,
which do not necessarily have to be monetary. In future issues of
Astalavista Security Newsletter, we'll be covering the threats possed by
the mobile workforce.

12. Home Users' Security Issues
   ----------------------------

Due to the high number of e-mails we keep getting from
novice users, we have decided that it would be a very good idea to
provide them with their very special section, discussing various aspects
of Information Security in an easily understandable way, while, on
the other hand, improve their current level of knowledge.

- 2005 - are we heading straight to 1984? - 

It is somehow ironic how back in 1949 George Orwell envisioned the total
surveillance society in 1984, and while it partly happened in a number of
communist ruled countries, today's Internet, ADSL connections, mobile phones
video streaming and pictures sharing etc. is KGB's dream comes true!

After the 9/11 attacks the intelligence community(both big players and local
governments) shifted - now they have the excuse and most of all the public
support we all directly or indirectly provided them with, starting with the idea to
feel safe from future terrorist attacks - what were we thinking?

Why should you care?

Whenever using a cash-machine, you do your best to ensure your privacy,
when you're in a dressing room, or when chatting or sending sensitive 
information like personal or company documents, pictures and other multimedia,
this is where the main problem is - the Internet is thought to be an anonymous
method of communication where you could hide behind a nickname or an email 
address, while the truth is that it isn't. The same goes about your
mobile phone conversations, even worse - your VoiP ones, too.

These days there's too much personal data collected. Doesn't it bother you
to know that Google keeps track of each of your searches(associated with your
old or new cookie) up to 2038? Doesn't it bother you to know that even though emails 
are deleted from Gmail, they're actually retained for unknown period of time
(reading Gmails Privacy Policies)? Huge companies storing large amounts of personal
data like ChoicePoint are often victims of attacks. Can you trust them to handle
it properly?

Right now, over the Internet and over any telecommunications network there are
huge efforts for the interception of what is believed to be traffic of interest,
or the entire traffic flow based on certain criteria.

Don't accept the feeling of security when it actually threatens your privacy, because
privacy shouldn't be sacrificed for security, and just because you aren't doing
anything illegal (which is a pretty contradictive statement in today's globalized
world) doesn't mean you shouldn't care how your personal information is treated.

We're all members of our society when our society takes care of us, or we're in
favour of its (thought to be) socially oriented activities. But all disregard or start
having concerns about it when it doesn't meet our expectations, then we feel somehow
abused and hopefully want to make a change, while not turning into a privacy paranoid.
Anyway, healthy scepticism is always your best friend.

What to do about it?

Encrypt, encrypt, encrypt, avoid plain-text communications, know how the
local government is "taking care" of your security with respect to your privacy, spread
the word!

It's pretty simple - the more you know about technology, the more you care about
privacy; the more you know about databases, advertising and intelligence, the more
motivated to make other people aware.

Read privacy policies, educate yourself, cookies that expire in 2038 are
definitely not your friends when you live at Google. And never forget that 
there's never "free lunch"! If yes, where's my lunch?

Further privacy oriented papers and tools can be located at :

http://www.astalavista.com/?section=dir&cmd=file&id=3677
http://www.astalavista.com/index.php?section=dir&cmd=file&id=2323
http://www.astalavista.com/index.php?section=dir&cmd=file&id=1509
http://www.astalavista.com/index.php?section=dir&cmd=file&id=2891
http://www.astalavista.com/index.php?page=96
http://www.astalavista.com/index.php?section=dir&cmd=file&id=1376
http://www.astalavista.com/?section=dir&cmd=file&id=3723
http://www.astalavista.com/index.php?section=dir&cmd=file&id=3692

http://www.eff.org/
http://www.epic.org/

Educate yourself, don't be naive, know who you can really trust, speak
for yourself and support free speech or turn yourslef into yet 
"Another Brick in The Wall" where BigBrother is at both sides of the wall.

13. Meet the Security Scene
   ------------------------

In this section you are going to meet famous people,
security experts and all personalities who in some way
contribute to the growth of the community. We hope that you will enjoy
these interviews and that you will learn a great deal of useful
information through this section. In this issue we have interviewed
Björn Andreasson from http://www.warindustries.com/

Your comments are welcome at security@astalavista.net 
------------------------------------------------
Interview with Björn Andreasson,
http://www.warindustries.com/

Astalavista : Hi Björn, would you please introducte yourself and share some more
information about your background in the security world?

Björn : My name is Björn "phonic" Andreasson and I live in Sweden, I'm turning 22
this year. I've been a part of the so called "underground" since the age of 14
which gives a total of 8 years. I got my first computer at the age of 13 and I
quickly got involved in Warez as my uncle showed me some basic stuff about the
internet. After a while I realised Warez websites was "uncool" because of all
the popups, porn ads, only trying to get as many clicks on your ads as
possible to earn enough money to cover your phone bill. So, there I was
viewing the Fringe of the web (www.webfringe.com) and I found all those
wonderful h/p/v/c/a websites, which caught my eye. I knew I could do 
better than most of these guys as I had a lot of experience from the Warez scene -
I knew how to attract visitors quickly. The first version of War Industries I 
belive was a total ripoff from Warforge.com as I didn't know better at the age 
of 15/16, I quickly understood this wasn't the way to do it so I made my first
version of the War Industries and I might add it looked VERY ugly as I recall it:)

From there I have had several designers making new versions, trying to
improve it and I belive we've acheived that goal now. It should be mentioned that
during 2000 and 2003 War Industries was put on ice as I couldn't cover the
expenses so it was only me and a friend  keeping the 
name alive until 2003 when I relaunched the website and turned it into what it is today
(Badass). I've also been a part of the Progenic.com crew as well.
As Blackcode.com crew, it was practicly my work that made BC famous 
because I sent a shitload of hits to it back in '99 when WarIndustries received
4,000 unique hits on a daily basis. I also owned www.icqwar.com which held only ICQ
war tools, some of my own creation, very basic but handy. The site had 3,000
unique hits on a daily basis after only one week online. After four 
weeks I got a letter from AOL to give me the domain name or being
sued. What could I do? 16 years old, of course, I gave it away!
Well that's pretty much my story.

Astalavista : WarIndustries.com has been around since 1998, nice to see that it's still alive.
What is the site's mission, is it hacking or security
oriented? Shall we expect some quality stuff to be released in the future, too?

Björn : WarIndustries can't really be placed anywhere. It's either black, gray or
white hat. I'd say we're a mix with a touch of them all. Our focus is to
enlighten people in the means of programming, getting them to know google as
their best friend. We've released a couple of video tutorials wich are
very popular because they make things so easy. We're going to release a
couple of new ones soon, as soon as we get around to it as most of us got jobs
and other stuff to attend to. Don't miss out on our brand new T-shirts coming
up in a month! If you're something, you've got to have one of those!

Astalavista : What do you think has changed during all these years? Give a comparison
between the scene back in 1998 as you knew it and today's global
security industry, and is there a scene to talk about?

Björn : I'd say people are a way more enlightened today. Back in '98 you could pretty
much do anything you liked without getting caught. Today you can't even
download Warez without getting problems. I'd say there's a scene but very
different from the oldschool I know. I am trying not to get involved and I have my own
way. Maybe that's why WarIndustries is so popular.

Astalavista : Is Google evil, or let's put it this way, how can Google be evil? Why
would Google want to be evil and what can we do about it if it starts
getting too evil?

Björn : Google is not evil, Google is your best friend!

Astalavista : Give your comments on Microsoft's security ambitions given the fact
that they've recently started competing in the anti-virus industry. They even
introduced anti-spyware application -  all this comming from MS?

Björn : If it wasn't for Microsoft, there wouldn't be viruses so I'm blaiming 
them for writing crap software. Why do they always leave a project unfinished 
and start another one? I mean Windows XP is working fine, why Longhorn? Why can't 
they make XP totally secure, like OpenBSD, there hasn't been a remote root exploit for
many years as of what I've heard? That's security! If I didn't know better, I'd
say MS is writing low-quality software so they can get
into the Anti-virus scene and make even more profits!

Astalavista : Recently, the EU has been actively debating software patents. Share
your thoughts on this and the future of open-source software?

Björn : I can't make up my mind when it comes to Open/Closed source.There's 
benefits from both sides. Open source is fixed much quicker but also discovered
way more often than closed. This is my opinion.

Astalavista : In conclusion, I would really appreciate if you share your comments
about the Astalavista.com site and, particularly, about our security
newsletter?

Björn : Actually, I haven't checked out Astalavista that much. I have known it for many
years but I never got around. I promise I'll check it out!

Astalavista : Thanks for your time Björn!

14. Security Sites Review
   ----------------------

The idea of this section is to provide you with reviews
of various highly interesting and useful security or
general  IT related web sites. Before we recommend a site, we
make sure that it provides its  visitors with quality and a
unique content.

-
Bleedingsnort.com
-
http://www.Bleedingsnort.com/

Bleeding snort is a regularly updated web site providing various Snort related
Rulesets, recommended!

-
Benedelman.org
-
http://www.Benedelman.org/

Benjamin Edelman's web site, outstanding research on spyware and Internet filtering
efforts by governments worldwide, plus many more.

-
Majorgeeks.com
-

http://www.Majorgeeks.com/

"Major Geeks.com- Feel the Geek.. BE the Geek!" 

-
Networksecuritytech.com
-

http://www.Networksecuritytech.com

Network Security Forums - What do you want to know today?

-
Blackhat.be
-

http://www.Blackhat.be/

Crewl underground madness (cum) is a belgian group of computer enthousiasts specialized
in network (in)security, hacking, coding and phreaking.


15. Final Words
   ------------

Dear readers,

Thank you for the invaluable feedback, for all the great comments as well as for the
remarks, and,of course,for
spreading the word for our newsletter.

We're actively working on a couple of new weekly updated sections at Astalavista.com
They will be online within the next several weeks with the idea to provide you with 
qualified security content.

Until then, keep on exploring because knowledge means power!

Editor - Dancho Danchev
dancho@astalavista.net

Proofreader - Yordanka Ilieva
danny@astalavista.net