[Plug-security] Francois Security News - March 20, 2000

[J. Francois]

<http://web.lexis-nexis.com/more/cahners-chicago/11407/5620488/1> - A large
number of businesses fail to update and consistently review their security
policies, which determine the business assets they need to protect as well
as the processes and technologies they must implement to properly secure
enterprise networks. What´s more, many companies don´t have an IT security
staff and spend relatively few dollars to protect their information assets,
according to Network Computing magazine´s new survey of 573 IT and security
managers

<http://news.cnet.com/news/0-1006-200-1576095.html?tag=st.cn.1.lthdne> -
WebTV has been hit by a self-replicating bug that is wreaking havoc with the
network´s message boards and newsgroups, a situation that knocks back the
company´s claim that it is immune to viruses and security holes. The
problem, which some are calling the "Flood Virus," gets inside the e-mail
system of WebTV owners and prompts the WebTV settop box to litter bulletin
board and newsgroup sites on the company´s network with redundant junk mail.
Like the Melissa virus, the malicious WebTV code sends out the emails under
a user´s name without their knowledge

<http://www.currents.net/newstoday/00/03/17/news2.html>  - Unleashing what
it hopes is another weapon in the arsenal against hackers, Microsystems
Software, maker of the Internet filtering software Cyber Patrol, announced
today that it has filed a seeking to stop two hackers, neither of whom is a
US resident, from what it calls continued violations of US copyright law

CERT/CC Current Activity <http://www.cert.org/current/current_activity.html>
- Compromises via BIND Vulnerability, Domain Name Hijacking, Scans and
Probes

<http://www.zdnet.com/zdnn/stories/news/0,4586,2469820,00.html?chkpt=zdhpnew
s01>  - In the largest known case of cybertheft, a computer intruder stole
information on more than 485,000 credit cards from an e-commerce site and
then secretly stored the massive database on a U.S. government agency´s Web
site, MSNBC has learned. Credit card companies notified financial
institutions, but many of the compromised accounts remain open to this day
because the banks neither closed them nor notified customers of the theft

<http://www.cisco.com/warp/public/707/pixftp-pub.shtml>  - The Cisco Secure
PIX Firewall interprets FTP (File Transfer Protocol) commands out of context
and inappropriately opens temporary access through the firewall. This is an
interim notice describing two related vulnerabilities

<http://www.microsoft.com/technet/security/bulletin/fq00-017.asp>  - When
parsing a reference to a path, Windows 95 and 98 check for the presence of a
single DOS device name in the path. If one is found, the path is correctly
treated as invalid and an error is returned. However, neither Windows 95 nor
98 check for multiple DOS device names. This is the source of the
vulnerability. If a read or write operation is attempted to a path whose
name contains multiple DOS device names, it will cause Windows 95 and 98 to
attempt to access invalid resources. In some cases, the effect of this
invalid access would be to cause the application that supplied the path to
hang, but the more likely effect is that the machine would present a blue
debug screen and crash

<http://www.idg.net/idgns/2000/03/15/LegislatorsProposeCommissionToStudyPriv
a.shtml> - Citing overwhelming concern among Americans about the protection
of private financial, health and other personal information, two U.S.
lawmakers have proposed a bill that would establish a commission to study
and make recommendations about how best to ensure data privacy

<http://www.ntsecurity.net/go/loader.asp?iD=/security/netscape1.htm>  -
Simple HTML code can cause Netscape Communicator 4 to crash. While we are
still uncertain as to the exact cause of the crash, it would appear that it
pertains to an embedded DIV tag that is coded in a particular manner

<http://www.idg.net/idgns/2000/03/14/EUUSPrivacyDealRottenObserversSay.shtml
> - European and U.S. negotiators have finalized an agreement on data
privacy that puts to rest a simmering trans-Atlantic dispute over data
protection, but U.S. observers say the accord underscores that Europeans
have far more privacy protection than Americans.

<http://www.currents.net/newstoday/00/03/15/news1.html>  - A consortium of
key Internet businesses has formed an industry task force aimed at spreading
the gospel of e-business security -- particularly to medium-sized, Web-based
companies -- in the wake of the recent denial of service attacks. The group
has issued a set of guidelines aimed at getting businesses to think about
their own corporate virtual well being, something many of them currently are
not doing

<http://www.fcw.com/fcw/articles/2000/0313/web-biometr-03-15-00.asp> - Faced
with a steady increase in illegal intrusions into its computer networks, the
Army has accepted responsibility for research and development of biometric
technologies to bolster the Defense Department's cybersecurity programs

<http://www.computerworld.com/home/print.nsf/idgnet/000314F75A> - Symantec
Corp. has asked a Massachusetts Internet service provider to remove links to
a list of Web sites blocked by Symantec´s I-Gear Internet filtering
software, as well as to a program that decrypts the list. Symantec charges
that the information is protected by copyright and trade-secret laws

<http://xforce.iss.net/alerts/advise45.php3>  - Internet Security Systems
has identified a vulnerability in the encryption used to conceal the
password and login ID of a registered SQL Server user in Enterprise Manager
for Microsoft SQL Server 7.0. When registering a new SQL Server in the
Enterprise Manager or editing the SQL Server registration properties, the
login name that will be used by the Enterprise Manager for the connection
must be specified. If a SQL Server login name is used instead of a Widows
Domain user name and the Always prompt for login name and password´ checkbox
is not set, the login ID and password are weakly encrypted and stored in the
registry

<http://www.techweb.com/wire/story/TWB20000314S0006>  - More than half of
businesses on the Internet leave themselves open to security breaches
because they fail to safeguard themselves

<http://www.zdnet.com/zdnn/stories/news/0,4586,2462114,00.html?chkpt=zdhpnew
s01>  - U.S. Federal Trade Commissioner and FBI warn tech CEOs to address
security and privacy concerns or lose the opportunity to self-regulate

<http://www.idg.net/idgns/2000/03/14/EUAndUSReachDataPrivacy.shtml> -
European and U.S. negotiators finalized on Tuesday an agreement on data
privacy that puts to rest a simmering trans-Atlantic dispute over data
protection, the negotiators told a press conference. After over two years of
talks, negotiators agreed that the U.S.´s largely self-regulatory system
based on so-called safe harbor principles represents "adequate protection"
as defined and required by the rules of the European Union on the transfer
of personal data outside the E.U.

<http://www.computerworld.com/home/print.nsf/idgnet/000314F756> - Microsoft
Corp. warned network administrators yesterday to stop distributing a
security patch for Internet Explorer 5.0 that could prevent Windows 2000
users from logging in to their computers

<http://www.ntsecurity.net/go/loader.asp?iD=/security/ie515.htm>  - Georgi
discovered that a user could place a .chm file in the TEMP directory where
that file could contain a shortcut command. When the file is opened with the
showHelp() procedure, any listed programs could be executed by the operating
system

<http://www.currents.net/newstoday/00/03/14/news3.html>  - Russian IT
security firm Kaspersky Lab has issued a warning over a new type of worm
called I-Worm.melting. As the name implies, the worm carries a screen saver
that melts the PC´s screen image, but the bad news is that it also locks up
the user´s machine. The anti-virus company said that the worm has been
reported in-the-wild by its customers in Eastern Europe

<http://199.97.97.16/contWriter/cnd7/2000/03/12/cndin/4805-0010-pat_nytimes.
html> - The concept of privacy is changing radically as a result of our new
computer-based lives. Privacy used to be achieved through the sheer friction
of everyday life: distance, time and the lack of records. Information didn´t
travel well, and most people who wanted to escape their pasts could simply
move to a new location

<http://www.ntsecurity.net/go/loader.asp?iD=/security/ie514.htm>  - Certain
HTML code can cause Internet Explorer 5.0 to crash or consume all available
CPU cycles until the offending process is terminated manually

<http://www.wired.com/news/politics/0,1283,34932,00.html>  - An ex-CIA
director has detailed business-related espionage conducted by the United
States against Europe

<http://www.sophos.com/virusinfo/analyses/w32shoerec.html> - The payload
randomly changes the icon arrangement on the desktop so it appears that
icons are running away from the mouse pointer. The virus may mutate so that
it is not further infectable, but still deletes a number of randomly chosen
files, depending on the date

<http://www.nandotimes.com/technology/story/0,1643,500180192-500237416-50117
3875-0,00.html>  - The Justice Department has created a cybercrime Web site
defining computer crime and describing how to report it, listing the
department´s latest thinking on privacy vs. policing on the Internet and
even showing how the government searches and seizes computers

<http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2460182,00.html?chkpt=p
1bn>  - The government agency in charge of enforcing the rules sent a
"clarification" letter to U.S. business organizations last week that steps
back from the hard position it had taken when the rules were adopted Jan. 31


Jean Francois Sends...
President & CEO MagusNet, Inc.
MagusNet.com, MagusNet.Gilbert.AZ.US
CTO EBIZ Enterprises, Inc.
TheLinuxStore.com, TheLinuxLab.com, LinuxWired.net
480-778-1120 - Office
602-770-JLF1 - Cellular