Hack-proofing a website is hard enough. But the task becomes
gargantuan when you accidentally publish the administrator’s password
on one of your site’s most heavily trafficked pages.

Such a security gaffe may have enabled unauthorized visitors to log in
and access files undetected for more than six months on a server
operated by Carmichael Lynch, a public relations and advertising firm
with several big-name clients. The admin password was inadvertently
published on a page that contained online job postings.

Among the files potentially exposed to outsiders: internal documents,
including customer databases owned by two of the company’s biggest
clients, Porsche and American Standard.

Experts said the incident is the latest example of how shoddy security
can undermine companies’ privacy promises.

Carmichael Lynch removed the posting that contained the admin password
from its site last week. Contained in the help wanted ad, cached here,
were hyperlinks that included a user name and password that human
resources employees used to upload job listings.

Before the problem was corrected, any Internet user could have
accessed files on Carmichael Lynch’s server simply by modifying the
address in the link.

Carmichael Lynch spokeswoman Sara Mulder said the company has no
evidence that unauthorized visitors took advantage of the security
lapse.

Mulder said the firm’s HR team was using Microsoft’s FrontPage Web
publishing software to post job listings, and the program embedded
“unwanted code, creating that loophole.”

An Internet user who asked not to be identified said he discovered the
problem last June and notified Carmichael Lynch. The user said he
decided to go public with the information after the PR company failed
to plug the hole.

Mulder confirmed that Carmichael Lynch learned last June that its
job-posting process contained a security flaw, but she said the
company thought at the time that it had resolved the problem.

Among the files accessible on the server last week was a 13.5-MB
database containing names, addresses, vehicle information and other
data on nearly 75,000 luxury car and SUV owners.

According to Mulder, Porsche owned the database, which was dated Oct.
20, 2002. But the file’s Properties tab indicated the database was
created by Acxiom, a provider of customer-information tools and
services.

Officials from Porsche Cars North America and Acxiom had no immediate
comment on the incident.

Carmichael Lynch’s security flub also exposed a 7-MB spreadsheet that
contained contact information, including e-mail addresses and
registration passwords, for nearly 12,000 people who had registered
with the American Standard website between April 30 and Sept. 10,
2002.

A pop-up window greets first-time visitors to the plumbing supply site
and encourages them to register for access to “site extras” such as a
“wish list” and a preferred dealer locator.

It was not immediately clear why Carmichael Lynch was storing clients’
customer info databases on its public Web server. Such a practice is
dangerous but common among site administrators who are not “security
savvy,” said Harlan Carvey, a security engineer for a financial
services company.

Privacy policies posted on the websites of Porsche, American Standard
and Acxiom state that the companies take “reasonable precautions” to
protect customers’ personal information in their possession. Mulder
said she does not believe Carmichael Lynch has a privacy policy.

Mark Litchfield, co-founder of NGSConsulting, said privacy policies
are often not backed up by strong security practices. Instead, such
statements are merely “jargon” aimed at giving customers “a warm
feeling in parting with their credit card and other associated
sensitive material.”

Privacy expert Richard Smith agreed, and said Carmichael Lynch’s
security practices “don’t live up to the promises being made in their
clients’ privacy policies.”

To prevent such lapses in the future, Mulder said Carmichael Lynch has
“isolated all such data to ensure its security on limited-access
servers.”

Such data spills can be costly to corporations that fail to follow
standard practices for protecting customer data. Last August,
Ziff-Davis Publishing agreed to pay affected customers $500 each after
lax security exposed the personal data of thousands of subscribers.

–
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with ‘unsubscribe isn’
in the BODY of the mail.

 …

THE curious thing about the new film “Catch Me if You Can” is how
contemporary it seems. Curious because this tale of Frank W. Abagnale
Jr. – in real life a teenage con artist who cashed millions in fake
checks while impersonating an airline pilot, a doctor and a prosecutor
– is set in the swinging 60’s.

In those days few mortals had used a computer, and Internet wasn’t
even a word. But the young Frank Abagnale seems an eery prefiguration
of a very modern character: the hacker.

Like them, he discovered a vast and arcane system held together with
technology – in his case, the nation’s network of banks. He worked
tirelessly to understand its every facet, from the codes used by the
Federal Reserve system, to the special paper and ink and machines used
to make checks. And he exploited the system with a teenager’s
limitless energy – and limited morality.

Like many of today’s hackers, Mr. Abagnale – who is currently
unavailable for interviews, said a spokesman, having just completed a
publicity tour for the film – finally went legit. He crossed over from
committing crimes to solving them – first for the F.B.I., and these
days as a consultant to the industry he once defrauded. In this, too,
he was ahead of his time. In January 2000, the computer security firm
known as stake hired the seven members of L0pht Heavy Industries, a
hacking collective in Boston. Two years before, a member of L0pht
(pronounced loft) had bragged about the group’s skills to a Senate
committee, saying that any member could take down the Internet within
30 minutes.

Chris Wysopal, who attended that hearing as a L0pht member and is now
the director of research and development for stake, says that while
his firm doesn’t go out of its way to hire hackers, it values
“learning how the systems work through exploration.”

Kevin D. Mitnick, perhaps the nation’s best-known hacker, served five
years in prison on charges of computer and wire fraud and is currently
trying to reinvent himself as a business consultant. He has started a
company, Defensive Thinking Inc., and has written a book on computer
security, “The Art of Deception: Controlling the Human Element of
Security,” with William L. Simon.

Hackers have always been with us, said David J. Farber, who helped to
develop electronic telephone switching when he worked at Bell
Laboratories in the 1950’s and 60’s, and went on to pioneer many of
the technologies underlying today’s networked computers.

“There’s been a big history of – let’s call it hacking,” said Mr.
Farber, citing tricks like using magnets to guide slugs through Coke
machines, and getting free phone calls by turning the telephone
company’s own technologies against it. “I don’t remember doing
anything particularly onerous,” he said, and joked that his memory
might be clouded by the fact that “I don’t know what the statute of
limitations is.”

Broadly defined, he said, it is a fundamental urge to game the system.
“If you could find the records and dug back far enough, it was
probably going on in ancient Rome,” he said.

In that sense, the hacker really is a species of trickster. And as the
“cyberpunk” novelist Neal Stephenson wrote in “The Diamond Age,” the
trickster is universal, but varies in guise from culture to culture.

“The Indians of the American Southwest called him Coyote, those of the
Pacific Coast called him Raven,” Mr. Stephenson writes. “Europeans
called him Reynard the Fox. African-Americans called him Br’er Rabbit.
In 20-century literature he appears first as Bugs Bunny and then as
the Hacker.”

OF course, hackers may have another, less mythological reason for
embracing Mr. Abagnale as one of their own. In the movie, at least, he
is an infallibly successful seducer of women – a particular sort of
con at which the stereotypically male hacker is proverbially inept.

–
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with ‘unsubscribe isn’
in the BODY of the mail.

 …

It is a great pleasure for us to introduce the Third World Conference
on Information Security Education, organized by IFIP Working Group
11.8 (IT Security Education) together with the Center for INFOSEC
Studies and Research (CISR) at the Naval Postgraduate School.

The conference will be held in Monterey, California 26-28 June 2003.

Take a few minutes to look around this web site – it contains all the
information you will need if you plan to attend the conference, or if
you want to submit a paper.

Register online!

http://cisr.nps.navy.mil/wise3/

We look forward to meet you at the conference!

–
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with ‘unsubscribe isn’
in the BODY of the mail.…

“Enterprise Security”, David Leon Clark, 2003, 0-201-71972-X,
U$39.99/C$62.99
%A David Leon Clark
%C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
%D 2003
%G 0-201-71972-X
%I Addison-Wesley Publishing Co.
%O U$39.99/C$62.99 416-447-5101 fax: 416-443-0948
%O http://www.amazon.com/exec/obidos/ASIN/020171972X/robsladesinterne
%P 264 p.
%T “Enterprise Security: The Manager’s Defense Guide”

The preface is heavy on buzzwords (and a few spelling errors) with
little attention paid to concepts and structure. Part one would like
us to think of the forging of a new economy. Chapter one asks “what
is e-business,” and, with a little re-interpretation of history (the
Internet had been in existence for twenty two years and had five
million users, a significant number private and commercial, before it
“became available to the public” according to this book) and ignoring
of inconvenient facts (the hyperinflation of dot com IPO stocks is
stated to prove the success of e-business just before we are told that
the dot com failure was inevitable because of stock hyperinflation)
tells us that e-business uses the net and makes money. Some security
jargon is introduced in chapter two. A confused recycling of trade
press myths about blackhats, in chapter three, seems to state that
these are the only malicious opponents of e-business: there is no
mention of insider attacks.

Part two looks at protecting information assets in an open society.
Chapter four demonstrates an amazingly consistent failure to
understand the technologies supposedly being explained: a
De-Militarized Zone (DMZ) is, by definition, not abandoned outside the
firewall, and Simple Key Management for IP (SKIP) is not a virtual
private network (VPN) product. There are more buzzwords,
miscellaneous security concerns, and more mistakes (ActiveX is *not*
multi-environment) in chapter five.

Part three talks about waging war for control of cyberspace. Chapter
six looks at attacks by syntax, and demonstrates more TCP/IP errors.
(Packet filtering is not exactly built into IP: the ability to handle
a packet based on destination is central to the idea of networking.
The ping-of-death has nothing to do with fragmentation offsets since
it is a single packet, and it is not too small, but too large.) There
is a confusion of attack scripts and script viruses (and cookies, too,
for good measure) in chapter seven. Countermeasures and attack
prevention, in chapter eight, actually looks (tersely) at incident
response. The material isn’t too bad, but has very little detail.
Having talked about DDoS (Distributed Denial of Service) in chapter
six, the attack now gets more pages, but little more detail. Chapter
ten is a grab bag of random safeguards and countermeasures, as is
eleven.

Part four deals with active defense mechanisms and risk management.
Chapter twelve, entitled vulnerability management, suggests collecting
alerts. Given what we’ve seen so far, it is strange that chapter
thirteen *does* address the nominal subject of risk management, albeit
not very well.

This confused collection of random concepts adds nothing of value to
the security literature.

copyright Robert M. Slade, 2002 BKESTMDG.RVW 20020916

-- 
======================
rsladevcn.bc.ca  rsladesprint.ca  sladevictoria.tc.ca p1canada.com
Find book info victoria.tc.ca/techrev/ or sun.soci.niu.edu/~rslade/
Upcoming (ISC)^2 CISSP CBK review seminars (+1-888-333-4458):
    February 10, 2003   February 14, 2003   St. Louis, MO
    March 31, 2003      April 4, 2003       Indianapolis, IN

– ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with ‘unsubscribe isn’ in the BODY of the mail.

 …

The end of standard mass mailing worms is nigh – maybe as soon as
before the end of 2003. But there replacements – Trojans and Spyware –
are much, much worse.

Or so Roger Thompson, technical director of TruSecure, a risk
management firm, forecasts. In particular he warns of the risk from
Remote Access Trojans (RATs) or backdoors posted on the Net or spread
via email.

“Malware code writers will continue to disguise RATs and backdoor
scripts as ‘adult’ movies and then post them to pornography new groups
targeting inexperienced users,” he writes. “Expect them to continue
through 2003 but they will be mixed with more and more grey ware (i.e.
spyware and advertising monitoring that is barely legal).”

Thompson notes mass-mailing Windows viruses were largely unsuccessful
in hitting corporations in 2002, with the notable exception of
organisations which did implement proper filters. One of the two
biggest worms of the year was Klez, which infected home PCs mostly.

Macro and script viruses emerged at a rate of 200 to 300 a month in
2002 but this will decrease to approx. 20 to 30 per month, TruSecure
believes.

According to Thompson, the impact of the mass-mailing worm is mostly
over for corporations but it will still have an impact on SOHO (small
office/home office) environments this year.

Code Red

TruSecure (and more particularly its affable “Surgeon General” Russ
Cooper) came to notice in 2001 for predicting that the Code Red virus
had the potential to “meltdown” the Internet.

This warning was, we now know overstated. Cooper told us, when we met
up with him before Christmas, that he did not regret the warning. He
was acting, he said, on early analysis of Code Red and its possible
spread through NT4 boxes. This turned out to be a lesser risk than
first believed.

Fair enough; but TruSecure is still banging on about Code Red-style
attacks to this day. Thompson warning he expects “another attack in
2003 in the class and level of Code Red”.

If he means another outbreak of hysteria from sectors of the security
community (which ought to know better) over some supposed
Internet-crushing threat, how could we disagree?

–
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with ‘unsubscribe isn’
in the BODY of the mail.…

WASHINGTON, Jan. 2 (UPI) — The India-Pakistan conflict has entered
the cyber realm as hackers across the subcontinent have infected
hundreds of thousands of computers in more than 100 countries on New
Year’s Day and the virus is spreading.

South Asia’s two nuclear rivals have been fighting each other since
their independence from Britain in 1947. They have fought wars in the
air, on the ground and in the sea. When the Internet arrived, it
quickly became yet another arena of conflict.

Last summer, when a terrorist attack on the Indian parliament brought
more than a million troops to the border, Pakistani hackers attacked
the official site of the Indian defense ministry. They inserted
messages proclaiming independence for the Kashmir region, a Himalayan
valley under dispute between India and Pakistan for 55 years.

This was not the first hacking bout between the two rivals, however.
Both sides had engaged in this behavior previously.

The latest virus attack has arrived with a warning for the Pakistani
hackers: “Your days are over, now it is our turn to show that ‘My
India is great’ (‘Bharat mahan hai,’ in Hindi).”

The message continues: “Want peace and prosperity in India? Then
(trash) corrupted politicians.” It also warns politicians: “Talent and
hard work should be respected. Self-styled (expletive) must be
eliminated. No more (expletive) monopoly.”

The message includes an e-mail address — qphhackmail.com — and a
mailing address in New Delhi.

Infected computers are automatically directed to an official Web site
of the Pakistan government. Its virulent spread has enabled thousands
of machines with the code to conduct a distributed denial-of-service
attack aimed at the homepage of the Islamic Republic of Pakistan at
pak.gov.pk.

On Tuesday, the virus forced one Pakistani official site,
infopak.gov.pk, to suspend service.

An earlier message also challenged G-Force, a group of Pakistani
hackers, to match the “intelligence and expertise” of the Indian
hackers.

The G-Force hackers, who reportedly operate from Lahore, Pakistan, had
claimed responsibility for attacking the official site of the Indian
defense ministry in the summer.

“Come & work with us” against “the G-Force-Pak shiites,” the message
urged Indian hackers.

Also earlier this week, e-mail management firm MessageLabs gave the
new virus, dubbed W32/Yaha.M, the No. 2 spot on the list of the most
virulent computer viruses.

The first copy of the virus was detected June 15 in an e-mail from
Kuwait. Most copies now being stopped are coming from Egypt, Saudi
Arabia and the United Kingdom.

The e-mail messages, which are about 45-47 kilobytes in length, try to
lure the receiver to download “sexy screensavers.” Some messages offer
“love partners” and chatting “opportunities” with members of the
opposite sex.

“Enjoy this friendship Screen Saver and Check your friends circle,”
the message says. “Send this screensaver to everyone you consider a
FRIEND, even if it means sending it back to the person who sent it to
you. If it comes back to you, then you’ll know you have a circle of
friends,” it advises.

Most of the senders have South Asian names. The early senders had
female names such as Savera, Madhuri and Rekha that seem to have been
borrowed from India’s Bollywood movies.

South Asian names still dominate but now the senders have both Muslim
and Hindu names and some IP addresses can be traced to both sides of
the India, Pakistan border.

When a receiver opens an infected file, the virus quickly spreads
through the system. A distributed denial-of-service attack floods a
Web site with user requests, overwhelming the server and locking out
site visitors.

It enters Internet explorer and installs itself as the default
homepage with addresses that lead to either hirosh.tk or hackers.com
but it does not seem affect Netscape.

Every time users click Internet Explorer, they are automatically led
to one of the two sites. The default action can be suspended
temporarily by going to the security setting and placing the two
addresses in the restricted sites.

Because a hacked system does not allow access to Internet options, a
user can go there through pop-up ads that still appear in the Internet
Explorer window.

Although the two addresses reappear as the default home page every
time a computer restarts, this temporary relief allows a user to
download antivirus software.

Yaha virus, which is also spelled Yahaa, is a mass mailer that sends
itself to all e-mail addresses in the computer’s Microsoft Windows
Address Book, MSN Messenger List, Yahoo! Pager list, and ICQ list. It
disables some anti-virus and firewall programs. All anti-virus
programs currently have up-to-date definitions to protect against Yaha
or Yahaa.

Those who use Norton Anti-Virus tools can download removal
instructions from sarc.com.

If the worm has run already, the user first must reverse the change it
effected. If the worm has not run:

— Configure Windows to show all files.

— Copy Regedit.exe to Regedit.com (in most cases).

— Edit the registry and reverse the change that the worm made.

— Update the virus definitions, run a full system scan, and delete
all files that NAV detects as W32.Yahaa.E.

Computer users without antivirus protection can go to bitdefender.com
for a free removal tool.

*==============================================================*
“Communications without intelligence is noise; Intelligence
without communications is irrelevant.” Gen Alfred. M. Gray, USMC
================================================================
C4I.org – Computer Security, & Intelligence – http://www.c4i.org
*==============================================================*

–
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with ‘unsubscribe isn’
in the BODY of the mail.…