Two Major Databases Spring Security Leaks
The security firm Application Security Inc. reported this week that IBM's DB2 Universal Database and MySQL AB's MySQL open-source database have a total of three vulnerabilities that range from low- to high-risk levels.
The first DB2 weakness is a buffer overflow in db2dart. This entails a UDP service used for discovery of DB2 databases on a network. The UDP service is overwhelmed when more than 20 bytes of information are sent.
All versions of DB2 are affected, although the risk level is only medium. The fix is IBM's FixPak 10a, available here.
DB2's second new weakness is a vulnerability to denial-of-service attacks in its discovery service. This is a service used in turn to locate another service when configuring connections. Again, if a packet larger than 20 bytes comes in to the server, the service shuts down.
This vulnerability also affects all versions of DB2. The second DB2 flaw has a low risk level. The fix is available here.
The MySQL database has potential for a buffer overflow in its "get_salt_from_password" function. This is a serious risk, and it affects all versions of MySQL. According to Newman, a malicious user could grant him- or herself administrative privi-leges and then use the function to trigger a buffer overflow.
http://www-3.ibm.com/cgi-bin/db2www/data/db2/udb/winos2unix/support/download.d2w/report
http://www.mysql.com/downloads/mysql-4.0.html
http://www.mysql.com/downloads/mysql-3.23.html
http://www.eweek.com/article2/0,4149,1306270,00.asp
Saturday, October 04, 2003
Friday, October 03, 2003
An open-source group that maintains software for securing communications
released a patch on Tuesday to fix several vulnerabilities that were found during a security test by the U.K. government.
The security flaws exist in the OpenSSL Project's version of the secure sockets layer (SSL) software used by Web sites and browsers to cryptographically secure data. Two of the flaws could lead to a denial-of-service attack, and a third may allow an attacker to break into a system from the Internet.…
Not to be confused with the OpenSSH project--SSH stands for secure shell--which has patched its software twice in the last month, the OpenSSL Project develops and maintains an open-source version of SSL software. A year ago, the Slapper worm infected Linux computers that hadn't been patched to fix a different hole in the same software.
Cox said that a specially crafted digital certificate could crash the OpenSSL software through either of two flaws, causing a denial-of-service attack. The third flaw could result in a security hole that could allow online vandals to attack a server or enable a worm to spread. All versions of OpenSSL, up to and including 0.9.6j and 0.9.7b, are affected…
http://zdnet.com.com/2100-1105-5085327.html
released a patch on Tuesday to fix several vulnerabilities that were found during a security test by the U.K. government.
The security flaws exist in the OpenSSL Project's version of the secure sockets layer (SSL) software used by Web sites and browsers to cryptographically secure data. Two of the flaws could lead to a denial-of-service attack, and a third may allow an attacker to break into a system from the Internet.…
Not to be confused with the OpenSSH project--SSH stands for secure shell--which has patched its software twice in the last month, the OpenSSL Project develops and maintains an open-source version of SSL software. A year ago, the Slapper worm infected Linux computers that hadn't been patched to fix a different hole in the same software.
Cox said that a specially crafted digital certificate could crash the OpenSSL software through either of two flaws, causing a denial-of-service attack. The third flaw could result in a security hole that could allow online vandals to attack a server or enable a worm to spread. All versions of OpenSSL, up to and including 0.9.6j and 0.9.7b, are affected…
http://zdnet.com.com/2100-1105-5085327.html
Wednesday, October 01, 2003
Microsoft Baseline Security Analyzer
As part of Microsoft's Strategic Technology Protection Program, and in response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA).
MBSA Version 1.1.1 includes a graphical and command line interface that can perform local or remote scans of Windows systems. MBSA runs on Windows 2000, Windows XP, and Windows Server 2003 systems and will scan for common system misconfigurations in the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Internet Information Server (IIS) 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000 and 2002. MBSA will also scan for missing security updates for the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, IIS 4.0 and 5.0, SQL Server 7.0 and 2000, IE 5.01 and later, Exchange 5.5 and 2000, and Windows Media Player 6.4 and later.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/mbsahome.asp
As part of Microsoft's Strategic Technology Protection Program, and in response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA).
MBSA Version 1.1.1 includes a graphical and command line interface that can perform local or remote scans of Windows systems. MBSA runs on Windows 2000, Windows XP, and Windows Server 2003 systems and will scan for common system misconfigurations in the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Internet Information Server (IIS) 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000 and 2002. MBSA will also scan for missing security updates for the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, IIS 4.0 and 5.0, SQL Server 7.0 and 2000, IE 5.01 and later, Exchange 5.5 and 2000, and Windows Media Player 6.4 and later.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/mbsahome.asp
The Windows XP startup disk allows computers without a bootable CD-ROM
Windows XP Professional with Service Pack 1 Utility: Setup Disks for Floppy Boot Install
The Windows XP startup disk allows computers without a bootable CD-ROM to perform a new installation of the operating system. The Windows XP startup disk will automatically load the correct drivers to gain access to the CD-ROM drive and start a new installation of Setup.
Quick Info
File Name:
winxpsp1_en_pro_bf.exe
Download Size:
4302 KB
Date Published:
9/9/2002
Version:
SP1
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=83F53BE9-28FA-40E8-8EC2-631504EF5E26
Windows XP Professional with Service Pack 1 Utility: Setup Disks for Floppy Boot Install
The Windows XP startup disk allows computers without a bootable CD-ROM to perform a new installation of the operating system. The Windows XP startup disk will automatically load the correct drivers to gain access to the CD-ROM drive and start a new installation of Setup.
Quick Info
File Name:
winxpsp1_en_pro_bf.exe
Download Size:
4302 KB
Date Published:
9/9/2002
Version:
SP1
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=83F53BE9-28FA-40E8-8EC2-631504EF5E26
The Windows XP startup disk allows computers without a bootable CD-ROM
Windows XP Home Edition with Service Pack 1 Utility: Setup Disks for Floppy Boot Install
The Windows XP startup disk allows computers without a bootable CD-ROM to perform a new installation of the operating system. The Windows XP startup disk will automatically load the correct drivers to gain access to the CD-ROM drive and start a new installation of Setup.
Quick Info
File Name:
winxpsp1_en_hom_bf.exe
Download Size:
4301 KB
Date Published:
9/9/2002
Version:
SP1
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=FBE5E4FC-695F-43E5-AF05-719F45C382A4
Windows XP Home Edition with Service Pack 1 Utility: Setup Disks for Floppy Boot Install
The Windows XP startup disk allows computers without a bootable CD-ROM to perform a new installation of the operating system. The Windows XP startup disk will automatically load the correct drivers to gain access to the CD-ROM drive and start a new installation of Setup.
Quick Info
File Name:
winxpsp1_en_hom_bf.exe
Download Size:
4301 KB
Date Published:
9/9/2002
Version:
SP1
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=FBE5E4FC-695F-43E5-AF05-719F45C382A4
MCSEworld>>>Knowledge Base>>>Tips and Tricks>>>
Shell enhancements or tweaks Windows XP/2000
http://www.petri.co.il/other_free_shell_enhancements.htm
Shell enhancements or tweaks Windows XP/2000
http://www.petri.co.il/other_free_shell_enhancements.htm
Tuesday, September 30, 2003
IE holes lead to AIM, dial-up attacks
Security holes in Microsoft's Internet Explorer have been exploited by hackers to hijack AOL instant messaging accounts and force unsuspecting Web surfers to run up massive phone bills, computer experts cautioned on Friday.
Some IE users are also finding that malicious Web sites are secretly slipping Trojan programs onto their computers, which could prove an even more dangerous exploit, said Drew Copley, a research engineer at Aliso Viejo, Calif.-based eEye Digital Security, who discovered the original security vulnerability.
Such stealth programs can include keystroke loggers that record everything a person types or software to erase the hard drive, among other things, he said.
Microsoft has released a patch for the original hole, which was reported about a month ago, said Stephen Toulouse, security program manager for Microsoft's Security Response Center. The company is looking into what it says are variations of the original hole that have been discovered since then that the patch does not fix, Toulouse said.
"We will release a fix for the variations," he said.
Security experts are reporting the variations as new security holes, disclosed within the past three weeks and used for different types of attacks, Copley said.
Microsoft and eEye Digital Security said they have issued information for temporary workarounds.
In general, the attacks are accomplished by leading Internet Explorer users to a malicious Web site, either by sending an e-mail with a link to the Web page or distributing a link through instant messaging, Copley said.
When the Web site appears, it downloads code that can execute commands on its own onto the unsuspecting computer user's machine, Copley said.
An attacker has written a program that uses a security hole in Internet Explorer to hijack an already running AOL Instant Messenger account, changes the password and sends a message to the buddies list with a link to the malicious Web page, according to postings on the Bugtraq security e-mail list.
The Web site the posting listed as stealing the AIM passwords appeared to have been shut down.…Another attack is being accomplished by sending computer users to Web sites--typically porn sites--that change the computer's dial-up settings to an expensive long-distance phone number without the person knowing it, said Richard Smith, an independent Boston-based security researcher.
In the so-called "porn dialer" attack, victims are being charged as much as $5 a minute instead of paying their normal Internet service fee, he said.
A third type of attack steers computer users to pay-per-click Web sites, where the spam marketer gets paid each time someone goes to the Web site, Copley said.
Computer users can protect themselves by applying patches, following the workaround instructions, or changing their settings in Internet Explorer to prompt them before a Web site downloads programs that can execute on their own, Toulouse said.
http://zdnet.com.com/2100-1105_2-5083234.html
Security holes in Microsoft's Internet Explorer have been exploited by hackers to hijack AOL instant messaging accounts and force unsuspecting Web surfers to run up massive phone bills, computer experts cautioned on Friday.
Some IE users are also finding that malicious Web sites are secretly slipping Trojan programs onto their computers, which could prove an even more dangerous exploit, said Drew Copley, a research engineer at Aliso Viejo, Calif.-based eEye Digital Security, who discovered the original security vulnerability.
Such stealth programs can include keystroke loggers that record everything a person types or software to erase the hard drive, among other things, he said.
Microsoft has released a patch for the original hole, which was reported about a month ago, said Stephen Toulouse, security program manager for Microsoft's Security Response Center. The company is looking into what it says are variations of the original hole that have been discovered since then that the patch does not fix, Toulouse said.
"We will release a fix for the variations," he said.
Security experts are reporting the variations as new security holes, disclosed within the past three weeks and used for different types of attacks, Copley said.
Microsoft and eEye Digital Security said they have issued information for temporary workarounds.
In general, the attacks are accomplished by leading Internet Explorer users to a malicious Web site, either by sending an e-mail with a link to the Web page or distributing a link through instant messaging, Copley said.
When the Web site appears, it downloads code that can execute commands on its own onto the unsuspecting computer user's machine, Copley said.
An attacker has written a program that uses a security hole in Internet Explorer to hijack an already running AOL Instant Messenger account, changes the password and sends a message to the buddies list with a link to the malicious Web page, according to postings on the Bugtraq security e-mail list.
The Web site the posting listed as stealing the AIM passwords appeared to have been shut down.…Another attack is being accomplished by sending computer users to Web sites--typically porn sites--that change the computer's dial-up settings to an expensive long-distance phone number without the person knowing it, said Richard Smith, an independent Boston-based security researcher.
In the so-called "porn dialer" attack, victims are being charged as much as $5 a minute instead of paying their normal Internet service fee, he said.
A third type of attack steers computer users to pay-per-click Web sites, where the spam marketer gets paid each time someone goes to the Web site, Copley said.
Computer users can protect themselves by applying patches, following the workaround instructions, or changing their settings in Internet Explorer to prompt them before a Web site downloads programs that can execute on their own, Toulouse said.
http://zdnet.com.com/2100-1105_2-5083234.html
Put XHTML 1.0 Strict and Transitional to work
XHTML 1.0 Strict
XHTML 1.0 Strict is the most demanding XHTML flavor, but it provides the cleanest structural markup. Strict code is free of any markup used to define layout. It uses cascading style sheets (CSS) to control the presentation. This separation of structure from presentation is what makes XHTML Strict flexible enough to be displayed on different devices. The reliance on CSS to control presentation can be problematic for developers, because it's not a good choice for Web content that needs to be viewed on devices or in browsers that do not recognize style sheets.
XHTML 1.0 Transitional
XHTML 1.0 Transitional is the more forgiving XHTML flavor. Unlike Strict, which completely separates structure from presentation, Transitional allows you to use tags to control the look of your markup. Its goal is bridging the gap between HTML-based pages that allow the markup to control the presentation and XHTML Strict, which does not. Its main benefit is that it overcomes Strict's CSS dependence. Transitional pages are still accessible to users who use older browsers or who are using devices that don't recognize style sheets.
How to choose?
The choice between Strict and Transitional depends on a couple of factors:
Audience. If you find that much of your audience uses older browsers that don't recognize style sheets, Strict may not be the right answer—although I would make the case that supporting standards is more important than backward browser compatibility at this point. If most of your audience is using the latest versions of Internet Explorer, Netscape, Opera, or Safari, Strict is the best long-term choice.
Current code. If you already use CSS and your HTML doesn't contain a lot of markup that controls presentation, you can make the leap to Strict.…
http://builder.com.com/5100-6371-5061538.html?fromtm=e606
XHTML 1.0 Strict
XHTML 1.0 Strict is the most demanding XHTML flavor, but it provides the cleanest structural markup. Strict code is free of any markup used to define layout. It uses cascading style sheets (CSS) to control the presentation. This separation of structure from presentation is what makes XHTML Strict flexible enough to be displayed on different devices. The reliance on CSS to control presentation can be problematic for developers, because it's not a good choice for Web content that needs to be viewed on devices or in browsers that do not recognize style sheets.
XHTML 1.0 Transitional
XHTML 1.0 Transitional is the more forgiving XHTML flavor. Unlike Strict, which completely separates structure from presentation, Transitional allows you to use tags to control the look of your markup. Its goal is bridging the gap between HTML-based pages that allow the markup to control the presentation and XHTML Strict, which does not. Its main benefit is that it overcomes Strict's CSS dependence. Transitional pages are still accessible to users who use older browsers or who are using devices that don't recognize style sheets.
How to choose?
The choice between Strict and Transitional depends on a couple of factors:
Audience. If you find that much of your audience uses older browsers that don't recognize style sheets, Strict may not be the right answer—although I would make the case that supporting standards is more important than backward browser compatibility at this point. If most of your audience is using the latest versions of Internet Explorer, Netscape, Opera, or Safari, Strict is the best long-term choice.
Current code. If you already use CSS and your HTML doesn't contain a lot of markup that controls presentation, you can make the leap to Strict.…
http://builder.com.com/5100-6371-5061538.html?fromtm=e606
2003 CSI/FBI cybercrime survey
The eighth edition of the longest-running annual survey of computer crime and losses has recently been published by the Computer Security Institute. The study, which is conducted in cooperation with the San Francisco FBI office, is based on the results reported by 530 security specialists working in U.S. corporations and government agencies.
The number of incidents remained about the same as in the 2002 survey, but overall economic loss was down significantly; losses due to financial fraud in particular were down by 90 percent.
Theft of proprietary information was reported as being responsible for the most financial loss, with the average reported loss pegged at about $2.7 million per incident.
Denial of service attacks were responsible for more than $65 million in total losses among those surveyed, making it second only to theft of proprietary data in total cost.
Insider attacks and system abuse followed virus infections as the top category of adverse events based on the number of incidents.
In a blow to crackers who think they can move into the mainstream, 68 percent of the respondents were strongly opposed to hiring reformed hackers.
The high incidence of virus attacks reported is also a bit surprising, since 99 percent of the companies surveyed reported using antivirus software. A full 98 percent also report using firewalls.
Back when the survey began, fewer than one in five serious attacks were reported to authorities, but that percentage has doubled in recent years to around 30 percent. Of those who gave a reason for failing to report incidents, more than half said they didn’t know they could report incidents. But nearly three-quarters say that they don’t report incidents because they fear negative publicity.
The report speculates that so many companies said they didn’t know they could report incidents because they simply weren't sure which agency would have jurisdiction. This certainly remains a serious problem, with few local authorities being willing or able to pursue cybercrimes. In some cases, the Secret Service might be involved, but the FBI is often the only agency that would have both the capability to deal with this sort of crime and the jurisdiction. However, the FBI has been swamped with new antiterrorism duties since 9/11, and when it wants to pursue a nonviolent cybercrime, it often doesn't have the resources available.
When asked for his interpretation of the survey results, Special Agent Tom Grasso of the Pittsburgh FBI office pointed out that there was an “even split between unauthorized use by insiders and outsiders” and noted that a big percentage of respondents blamed disgruntled employees for the attack. He also reminded security specialists to consider past survey data when analyzing this year's results. "The authors of the study commented that this [year’s numbers] are in line with pre-2001 data, which could mean that 2001 and 2002 were just unusually high.”
Grasso is the FBI liaison with CERT and is the driving force behind the National Cyber-Forensics and Training Alliance (NCFTA), a partnership among law enforcement, academia, and industry that is working to improve cyberforensic skills.
Free PDF copies of the full report are available.
To obtain your free copy, fill out the form on this page.
Bound and printed versions are also available through
Kinko's DocStore service; a small fee is charged to cover
printing and shipping costs.
Companies can take one commonsense step to help prevent attacks: They can patch their systems. According to the CSI/FBI report, almost unbelievably, even companies that experienced serious computer system intrusions failed in nearly 10 percent of cases to patch the vulnerable systems. In the 2002 report, only 77 percent reported patching known holes that had been exploited. It might be interesting to ask some of them just what economic or other considerations kept them from patching a hole when they knew an exploit existed and had been used to successfully attack them at least once.
http://www.ncfta.net/
http://gocsi.com/forms/fbi/pdf.jhtml?_requestid=990693
The eighth edition of the longest-running annual survey of computer crime and losses has recently been published by the Computer Security Institute. The study, which is conducted in cooperation with the San Francisco FBI office, is based on the results reported by 530 security specialists working in U.S. corporations and government agencies.
The number of incidents remained about the same as in the 2002 survey, but overall economic loss was down significantly; losses due to financial fraud in particular were down by 90 percent.
Theft of proprietary information was reported as being responsible for the most financial loss, with the average reported loss pegged at about $2.7 million per incident.
Denial of service attacks were responsible for more than $65 million in total losses among those surveyed, making it second only to theft of proprietary data in total cost.
Insider attacks and system abuse followed virus infections as the top category of adverse events based on the number of incidents.
In a blow to crackers who think they can move into the mainstream, 68 percent of the respondents were strongly opposed to hiring reformed hackers.
The high incidence of virus attacks reported is also a bit surprising, since 99 percent of the companies surveyed reported using antivirus software. A full 98 percent also report using firewalls.
Back when the survey began, fewer than one in five serious attacks were reported to authorities, but that percentage has doubled in recent years to around 30 percent. Of those who gave a reason for failing to report incidents, more than half said they didn’t know they could report incidents. But nearly three-quarters say that they don’t report incidents because they fear negative publicity.
The report speculates that so many companies said they didn’t know they could report incidents because they simply weren't sure which agency would have jurisdiction. This certainly remains a serious problem, with few local authorities being willing or able to pursue cybercrimes. In some cases, the Secret Service might be involved, but the FBI is often the only agency that would have both the capability to deal with this sort of crime and the jurisdiction. However, the FBI has been swamped with new antiterrorism duties since 9/11, and when it wants to pursue a nonviolent cybercrime, it often doesn't have the resources available.
When asked for his interpretation of the survey results, Special Agent Tom Grasso of the Pittsburgh FBI office pointed out that there was an “even split between unauthorized use by insiders and outsiders” and noted that a big percentage of respondents blamed disgruntled employees for the attack. He also reminded security specialists to consider past survey data when analyzing this year's results. "The authors of the study commented that this [year’s numbers] are in line with pre-2001 data, which could mean that 2001 and 2002 were just unusually high.”
Grasso is the FBI liaison with CERT and is the driving force behind the National Cyber-Forensics and Training Alliance (NCFTA), a partnership among law enforcement, academia, and industry that is working to improve cyberforensic skills.
Free PDF copies of the full report are available.
To obtain your free copy, fill out the form on this page.
Bound and printed versions are also available through
Kinko's DocStore service; a small fee is charged to cover
printing and shipping costs.
Companies can take one commonsense step to help prevent attacks: They can patch their systems. According to the CSI/FBI report, almost unbelievably, even companies that experienced serious computer system intrusions failed in nearly 10 percent of cases to patch the vulnerable systems. In the 2002 report, only 77 percent reported patching known holes that had been exploited. It might be interesting to ask some of them just what economic or other considerations kept them from patching a hole when they knew an exploit existed and had been used to successfully attack them at least once.
http://www.ncfta.net/
http://gocsi.com/forms/fbi/pdf.jhtml?_requestid=990693
Subscribe to:
Posts (Atom)
Posts
