Donna's SecurityFlash

A fledgling Swansea company claims to have made a breakthrough in the fight against spam e-mail.

NetBop Technologies says its new filter has so far proved effective in stopping 99.5% of junk messages.

Founder Andrew Downie, a graduate of the city's university, says his BopSpam filter operates differently to many of the competitors on the market.

http://news.bbc.co.uk/1/hi/wales/south_west/3669653.stm

Summary 
Email title: 'Citibank Security Update' 
Scam target: Citibank customers  
Email format: A HTML email  
Sender: citibank.com <csupport6@citibank.com>
Sender spoofed? Yes 
Scam call to action: "Due to technical update we recommend you to
reactivate your account." 
Scam goal: Getting victim's Citibank website account/password and ATM PIN 
Call to action format: URL link  
Visible link: http://web.da-us.citibank.com 
Called link : http://citibank-validate.info/
Resolved site:  http://citibank-validate.info/, along with http://www.citibank.com (the legitimate Citibank site)

http://www.antiphishing.org/phishing_archive/29-04-04_Citibank_(Citibank_Security_Update).html

Two anti-spyware bills are being readied in time for a hearing Thursday in the U.S. House of Representatives.

The measures, one sponsored by a California Republican and the other by a Washington Democrat, take different approaches toward software that lurks on a computer and serves pop-up ads or transmits personal information. But both make the same point: Official Washington is becoming officially fed up with the proliferation of spyware and adware. The new attention paid to malicious software follows last fall's unprecedented focus on unsolicited commercial e-mail.

http://news.com.com/2100-1023_3-5201819.html

Anti-virus company Symantec backtracked on Wednesday after claiming that it captured an example of a new Internet worm that takes advantage of a recently disclosed hole in Windows machines running Secure Sockets Layer (SSL).

http://www.nwfusion.com/news/2004/0428microhole.html?fsrc=rss-security

Yesterday, was 5.17 AM, one of many Lycos's sub-domains has been defaced: https://insite.lycos.com

The Brazilian Crew named data Cha0s, has probably taken advantage of the recent SSL vulnerability that affects IIS.

http://www.zone-h.org/en/news/read/id=4200/

Symantec late Tuesday afternoon captured a sample of malicious code that spreads by exploiting one of the many vulnerabilities in Windows disclosed this month by Microsoft.

The vulnerability stems from a flaw in Windows Protected Communications Technology (PCT) v. 1.0, a packet protocol within Microsoft's SSL library. SSL is an encryption technology typically used to secure communications with Web sites -- such as those for processing credit card orders -- and for locking down e-mail. The vulnerability was made public on April 13 as part of the month's security bulletins from Microsoft.

On Monday, several security analysts noted that although exploit code was in the wild, a worm hadn't yet appeared.

Symantec's DeepSight Threat network -- a global group of sensors that tracks up-and-coming exploits -- snagged a copy of the code Tuesday afternoon, said Alfred Huger, the senior director of engineering with Symantec's security response team.

http://www.internetweek.com/breakingNews/showArticle.jhtml%3Bjsessionid=HTWDAREE202UMQSNDBOCKHY?articleID=19202066

Date:  Apr 27 2004
 
Impact:  User access via network
 
Exploit Included:  Yes  
 
Description:  A vulnerability was reported in McAfee VirusScan. A remote user may be able to access a target user's system.

Jonathan Payne reported that the software appears to install several non-secure ActiveX controls. A remote user can reportedly create HTML that, when loaded by the target user, will invoke the ActiveX controls and access the target user's system.

A demonstration exploit that accesses the target user's Windows registry is provided in the Source Message.
 
Impact:  A remote user can create HTML that, when loaded by the target user, will be able to access the target user's system.
 
Solution:  No solution was available at the time of this entry.
 
Vendor URL:  www.mcafee.com/
Cause:  Access control error
Underlying OS:  Windows (Any)

http://www.securitytracker.com/alerts/2004/Apr/1009956.html

Summary: Longhorn promises to be a great platform for least privileged applications. Get started today by writing managed code, first of all. When building desktop applications, make them LUA-compliant (and use the Windows Application Verifier to help check your work)

http://msdn.microsoft.com/longhorn/default.aspx?pull=/library/en-us/dnlong/html/leastprivlh.asp

Source:  Jerry's Security Weblog

Failure to centralise antivirus software management exhausts IT workers

Companies that have yet to centralise the management of their antivirus software are exhausting their IT staff.
While the majority of firms have taken users out of the loop of updating antivirus software, those that have not are unable to cope due to the sheer volume of viruses, according to application switching vendor Radware.

"Users can't be trusted to do it themselves," said Tony Crowley, Radware's regional director for northern Europe.

http://www.vnunet.com/News/1154643

Problems with maintaining the confidentiality of electronic documents and preventing document tampering are on the rise, according to a security manager at Adobe Systems Inc.

Although he would not divulge details of any specific incident of document tampering in the federal government, John Landwehr, group manager for security solutions and strategy at Adobe, said cases of document spoofing represent a growing problem for both government and corporate offices.

http://www.fcw.com/fcw/articles/2004/0426/web-adobe-04-26-04.asp

A new group known as "dark-underground" defaced several high profile web sites, including Governments, Intergovernmental organizations and famous brands. Korea and China seem to be the most targeted countries among the list of victims. The defacer often created a page on the server and wrote "Hacked By Dark Underground" in order to prove that he compromised them, a "FREE ITALIAN FROM IRAQ" message was also appearing in older defacements.

The attackers are probably taking advantage of misconfigurations in Frontpage servers, allowing them to be authentified and administrate the servers without any login and password.

List of the most important defaced web sites at http://www.zone-h.org/en/news/read/id=4195/

Malicious attackers in Brazil, Germany and the Netherlands tried to use a vulnerability in Windows to break into some of Australia's largest financial institutions, including at least three banks, over the Anzac weekend, according to the Atlanta-based security firm, Internet Security Systems.

http://www.zone-h.org/en/news/read/id=4196/

End-point security vendor Zone Labs Monday unveiled a new version of its Integrity software designed to detect and disable spyware on desktop computers in an enterprise network.

The upgrade, dubbed Integrity Clientless Security 2.0, is thought to be the first security product on the market aimed specifically at eliminating spyware--a category that includes keystroke loggers, Trojan horses, worms and hacker tools. The software is available now to channel partners.

According to Frederick Felman, vice president of marketing at the San Francisco-based company, the features should help enterprises remove the threats of ID and password theft and data loss, while preserving user and IT productivity.

http://www.crn.com/sections/BreakingNews/dailyarchives.asp?ArticleID=49713

THE country's top computer experts have been unleashing predatory viruses and hacking through firewalls in the name of crime prevention.

Security specialists used live virus and hacking demonstrations to show computer network teams from across the north west the best ways of protecting their systems.

The course, hosted by Manchester firm NCC, gave IT managers the chance to see exactly where their networks are vulnerable and what happens when they are attacked.

http://www.manchesteronline.co.uk/business/technology/s/110/110173_online_viruses_under_attack.html

More attack code surfaces for recent MS security holes

http://www.infoworld.com/article/04/04/26/HNmoreattackcode_1.html

Just days after Microsoft Corp. warned its customers about the release of code that can exploit a hole in its Secure Sockets Layer (SSL) library, new code that claims to exploit another recently disclosed hole surfaced on a French language Web site.

The computer code can be used by a remote attacker to trigger a buffer overrun vulnerability in the Local Security Authority Subsystem Service (LSASS), according to a message posted to www.k-otik.com. Microsoft released a patch for the LSASS vulnerability,
MS04-011, on April 13, along with fixes for the SSL problem and a number of other vulnerabilities.

Secunia Advisory: SA11482    
Release Date: 2004-04-26 

Critical: Highly critical 
Impact: System access
 
Where: From local network

OS: 

Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows 98 Second Edition
Microsoft Windows Millenium
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Software: 

Microsoft Internet Explorer 5.01
Microsoft Internet Explorer 5.5
Microsoft Internet Explorer 6

Description:
Rodrigo Gutierrez has discovered a vulnerability in Windows and Internet Explorer, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error, which can be triggered via Internet Explorer and Windows Explorer when connecting to a file server. This can be exploited to cause a buffer overflow by setting up a malicious share with an overly long name (about 300 bytes) containing no lower case characters.

Successful exploitation may potentially allow execution of arbitrary code on a user's system but requires that the user is either tricked into connecting to a malicious file server, visit a malicious website, or follow a specially crafted link.

According to a Microsoft knowledge base article (see "Other References" section), the vulnerability should have been fixed in SP1 for Windows XP and SP4 for Windows 2000. However, the vulnerability has been confirmed on fully patched systems running Windows XP and Windows 2000.

The vulnerability reportedly also affect Windows 95, 98, and Me. It is currently unknown whether Windows NT4.0 and Windows 2003 are affected.

NOTE: Secunia would normally rate this kind of vulnerability as "Moderately critical", since this kind of traffic should be restricted to a LAN via border routers and firewalls. However, this is not the case on many networks, which leads to the higher rating.

Solution:
Restrict traffic in border routers and firewalls.

Disable "Client for Microsoft Networks" for network cards. This will impact file sharing functionality.

http://secunia.com/advisories/11482/

Today is the 26th of April.

For several years, this day used to mean worldwide damage caused by the CIH virus. This virus was very widespready during 1998-2000. It was programmed to activate destructively every year on this date, overwriting most of the data on the hard drive and attempting to overwrite the Flash BIOS chip of the computer, making it unbootable.

The CIH virus family is no longer widespread. Last time we saw significant amount of damage (mostly in Asia) was in April 2001. We expect to see no damage now in April 2004.

http://www.f-secure.com/weblog/#00000143

UK-based virus detection firm Sophos Anti-Virus and US-based software and server company Sun Microsystems Inc, have announced an integration of Sophos PureMessage and Java System Messaging Server, a key component of the Sun Java Enterprise System, a media release from Sophos says.

The new integrated system will protect against spam, viruses and other security threats for telecommunication carriers, universities and large enterprises.

http://www.smh.com.au/articles/2004/04/26/1082831481063.html

A study conducted by KidsGuard.com among a sample of over 66,000 children in the UK determined that kids receive an average of 1.46 pornographic e-mails each day and 10 per week

http://www.emarketer.com/news/article.php?1002765