Francois Security News March 6, 2000

J. Francois jlf@magusnet.gilbert.az.us
Sun, 5 Mar 2000 16:15:27 -0700


Please forward as appropriate:

<http://wired.com/news/politics/0,1283,34734,00.html>  - February 2000
should prove to be a month to remember for Internet privacy advocates -- and
DoubleClick investors. It ended with the online ad firm announcing it would
suspend plans to tie names to now-anonymous user Web "cookies" until online
privacy standards were established

<http://www.newsbytes.com/pubNews/00/144971.html>  - President Clinton has
asked each cabinet secretary and agency head to renew their efforts to make
sure their computer networks are safe against denial of service and other
illegal Internet attacks

<http://www.ciac.org/ciac/bulletins/k-025.shtml>  - The MySQL database
server versions prior to 3.22.32 has a flaw in the password authentication
mechanism which allows anyone who can connect to the server to access
databases without requiring a password, given a valid username on the
database - in other words, the normal password authentication mechanism can
be completely bypassed

<http://www.techweb.com/wire/story/TWB20000302S0022>  - Efforts are under
way to make Linux more secure for e-business, now that it´s making inroads
as an enterprise server platform

<http://www.nylj.com/stories/00/03/030200a5.htm>  - Somebody´s going to get
sued: that´s clear, said David J. Loundy, of Chicago´s D´Ancona & Pflaum
LLC. Somebody´s going to want a test case. The issue is whether there´s
going to be one or two of these suits, or whether it´s going to be open
season against service providers, said Mr. Loundy, who teaches computer
crime at Chicago´s John Marshall Law School

<http://www.zdnet.com/zdnn/stories/news/0,4586,2455265,00.html?chkpt=zdhpnew
s01>  - The Trojan horse, which arrives as an e-mail attachment named
´prettypark.exe,´ has already victimized universities and corporations

<http://www.currents.net/newstoday/00/03/03/news2.html>  - Salesgate.com
says some credit data belonging to thousands of customers that was taken
when a hacker broke into the e-commerce site was posted on the Internet

<http://www.debian.org/security/2000/20000229> - The version of nmh that was
distributed in Debian GNU Linux 2.1 aka slink did not check incoming mail
messages properly. This could be exploited by using carefully designed MIME
headers to trick mhshow into executing arbitrary shell code. This has been
fixed in version 0.27-0.28-pre8-4. We recommend you upgrade your nmh package
immediately

<http://www.techweb.com/wire/story/TWB20000302S0012>  - Microsoft is
awarding two grants to university researchers to help network administrators
fend off distributed denial of service attacks, executives said Thursday

<http://www.sjmercury.com/svtech/news/breaking/ap/docs/272497l.htm>  - In a
bizarre twist to the federal prosecution of Kevin Mitnick, a Senate panel
today asked him to explain ways hackers infiltrate sensitive computer
systems, and to suggest solutions to lawmakers

<http://www.fcw.com/fcw/articles/2000/0228/web-security-03-02-00.asp> -
Commercial information security products designed to protect information
systems from cyberattacks next year will have to meet strict international
standards before government agencies can purchase them

<http://www.zdnet.com/zdnn/stories/news/0,4586,2454429,00.html?chkpt=zdnntop
>  - Personal financial information that consumers key into Intuit Corp.s
popular Quicken Web site has been leaking out to advertisers, and the
company moved swiftly to address the problem

<http://www.cert.org/congressional_testimony/Cross_testimony_Mar2000.html>
- On March 1, 2000, the director of the Software Engineering Institute at
Carnegie Mellon University of which the CERTCC is a part presented testimony
on the issue of cyber security

<http://www.ecommercetimes.com/news/articles2000/000302-1.shtml> - Online
travel agency and Microsoft spin-off Expedia.com reported Wednesday that it
will record $4 to $6 million in third quarter losses to cover fraudulent
credit card purchases made on its Web site.

<http://www.ecommercetimes.com/news/articles2000/000301-1.shtml> - Software
security solutions provider Diversinet Corp. announced Tuesday that it is
extending support of its Software Development Kit for creating wireless
e-commerce applications to the Linux open-source platform.

<http://www.techserver.com/noframes/story/0,2294,500175233-500227783-5010988
07-0,00.html>  - It began with an e-mail, the kind of nasty missive
e-commerce CEOs dread. The sender, describing himself as a 19-year-old
Russian named "Maxim," claimed to have pilfered 300,000 credit card numbers
from CD Universe, a music retailing Web site. Maxim offered to destroy the
stolen files in exchange for around $100,000.

<http://www.sophos.com/virusinfo/analyses/wm97michaelb.html>  - The virus
uses the Office Assistant to display a random message, chosen from 21
possibilities. Amongst messages which may be displayed are some credited to
Virginia Woolf, Steve McConnell, David Parnas and Paul Clements, Kreitzberg
and Schneiderman, Alice in Wonderland, Michael I. Buen, Glenford Myers,
Donald Knuth, Peter Williams and Rich Cook

<http://www.infoworld.com/articles/en/xml/00/02/29/000229enjustice.xml>  -
U.S. Department of Justice officials on Tuesday told a joint congressional
committee that the law has to be changed to make it easier to pursue
hackers. They also want more money to hire prosecutors and analysts, as well
as to improve the research capabilities of federal, state, and local law
enforcers investigating cybercrime

<http://xforce.iss.net/alerts/advise44.php3>  - The Windows version of
trin00 is similar to the Unix version. The daemon for Windows trin00 listens
on port 34555, while the Unix version listens by default on port 27444.
Unlike the Unix version of the trin00 daemon, the Windows daemon does not
try to contact the master server to register. The ISS X-Force believes that
this is to prevent someone who finds the daemon on a Windows machine from
finding the IP address of the master by looking in the binary executable

<http://www.fcw.com/fcw/articles/2000/0228/web-NSA-02-29-00.asp> - Days
before the Feb. 27 broadcast of a "60 Minutes" story focusing on the
U.S.-backed global electronic surveillance network known as Echelon, the
National Security Agency sent a letter to every member of Congress
reassuring them that the super-secret agency respects the privacy of U.S.
citizens

<http://www.zdnet.com/zdnn/stories/news/0,4586,2453339,00.html?chkpt=zdhpnew
s01>  - Security firm TripWire Inc. is cannonballing into the open-source
waters, with a friendly push from major Linux vendors Caldera Systems, Red
Hat and SGI

<http://www.cert.org/vul_notes/VN-2000-01.html>  - An increase in the
intruder activity associated with various vulnerabilities in certain
implementations of the clock daemon cron has prompted the issuing of this
note. Multiple intruder tools exploiting previously-discussed cron
vulnerabilities have been found on compromised Linux systems as part of
incidents recently reported to the CERT/CC

<http://www.currents.net/newstoday/00/02/29/news9.html>  - Congress members
often accuse the federal government of being slow on the uptake compared to
the lightning-quick innovations of the high-tech industry. But only several
weeks after a series of crippling denial of service attacks on popular World
Wide Web sites, the Hill this week looks forward to multiple hearings on the
subject, along with the possible introduction of the long-awaited Cyberspace
Electronic Security Act

<http://www.zdnet.co.uk/news/2000/8/ns-13651.html>  - The Internet isn´t so
great at protecting our secrets, but hopefully government obfuscation will
get the same treatment.

<http://www.deseretnews.com/dn/view/0,1249,150017165,00.html?> - Only a
handful of computer attackers are actually caught and convicted as federal
law enforcement of cyber-crime lags far behind the explosive growth of the
Internet, Justice Department records show.

<http://www.washingtonpost.com/wp-srv/WPlate/2000-02/26/071l-022600-idx.html
>  - Yet another World Wide Web site was temporarily blocked in a "denial of
service" attack, the FBI said yesterday. The site was the FBI´s.

<http://www.seattletimes.com/news/technology/html98/inbo_20000227.html>  -
While recent e-commerce attacks have made us all more security conscious,
they also serve as a reminder that e-mail has never been really private.

<http://www.cert.org/incident_notes/IN-2000-01.html>  - Windows machines
have been used as intermediaries in various types of denial of service
attacks for years however, the development and deployment of the technology
to use Windows machines as agents in a distributed denial of service attacks
represents an overall increase in the threat of denial of service attacks

<http://www.techweb.com/wire/story/TWB20000228S0015>  - IBM on Wednesday
will announce it will offer for export PCs capable of handling 256-bit
digital key encryption. The machines will be available on March 10, making
Armonk, N.Y.-based IBM among the first to make this technology widely
available, an IBM executive said

<http://www.currents.net/newstoday/00/02/28/news18.html>  - Sen. Charles
Schumer, D-N.Y., Thursday formally introduced a measure that would increase
the fines and penalties for computer crimes

<http://www.wired.com/news/technology/0,1282,34528,00.html> - While federal
investigators continue their hunt for the folks behind the recent
denial-of-service attacks that crippled some of the Internet´s biggest
players, security companies are plying their wares with a vengeance

<http://www.currents.net/newstoday/00/02/28/news1.html>  - On the heels of
recent distributed denial-of- service attacks on commercial Web sites, a
public/private security group has published a document to help organizations
deal with systems security

<http://www.zdnet.co.uk/news/2000/8/ns-13702.html>  - Microsoft uses the
open Internet security standard in its Windows 2000 operating system and
makes modifications without openly documenting its changes

Jean Francois Sends...
President & CEO MagusNet, Inc.
MagusNet.com, MagusNet.Gilbert.AZ.US
CTO EBIZ Enterprises, Inc.
TheLinuxStore.com, TheLinuxLab.com, LinuxWired.net
480-778-1120 - Office
602-770-JLF1 - Cellular