***Ecco Dabber, il worm che infetta i PC infetti*** Sulla Rete si sta diffondendo il worm Dabber che sfrutta una vulnerabilità nel codice di Sasser per installarsi nel PC. E' la prima volta, sostengono gli esperti di sicurezza, che un worm si serve di una falla nel codice di un altro virus come veicolo di diffusione. In particolare, Dabber fa una scansione sulle porte 5554 o 9898 alla ricerca di computer Windows infettati con Sasser. Una volta trovati, Dabber installa una copia di se stesso nella cartella System (o System32) sotto il nome di Package.exe e può aggiungere delle chiavi nel registro per autovviarsi. Dabber va a neutralizzare Sasser e apre la porta 9898 come backdoor che quindi può essere usata da parte di utenti malintenzionati per installare altro codice indesiderato nella macchina. Dabber risulta simile a Sasser nel senso che gli utilizzatori non ricevono una e-mail sospetta con il virus.
http://www.pc-facile.com/news.php?n=18973

PIRATERIA INFORMATICA, CAMBIA LA LEGGE
Saranno cambiati alcuni punti della legge contro la pirateria informatica.
Punito solo chi diffonde copie pirata a fini di lucro http://www.studiocelentano.it/newsflash_dett.asp?id=7890

97 E-MAIL SU 100 SONO SPAMMING. NECESSARIO CORRERE AI RIPARI Da una ricerca effettuata dalla societa' MessageLabs si e' evidenziato che il 97 per cento delle e-mail e' spam
http://www.studiocelentano.it/newsflash_dett.asp?id=7832

-->> MCAFEE LINUXSHIELD: L'ANTIVIRUS PER LINUX
Network Associates ha presentato McAfee LinuxShield, la soluzione antivirus per il pinguino
URL: http://news.hwupgrade.it/12515.html

Php
Vendor: PHP Group
A vulnerability was reported in PHP. A remote user may be able to bypass include file filters.
Impact: Host/resource access via network
Alert: http://securitytracker.com/alerts/2004/May/1010326.html

Mod_ssl
Vendor: Modssl.org
A buffer overflow vulnerability was reported in Apache mod_ssl. A remote user may be able to execute arbitrary code on the target system in certain situations.
Impact: Execution of arbitrary code via network
Alert: http://securitytracker.com/alerts/2004/May/1010322.html

OfficeConnect Router (3Com)
Vendor: 3Com
iDEFENSE reported a vulnerability in the 3Com OfficeConnect Remote 812 ADSL Router. A remote user can bypass the authentication process to gain access to the device.
Impact: Root access via network
Alert: http://securitytracker.com/alerts/2004/May/1010320.html

IPSec
Vendor: Microsoft
A vulnerability was reported in Microsoft Windows 2000 and XP in the default IPSec filtering configuration. A remote user can bypass the filter and access ports on the system.
Impact: Host/resource access via network
Alert: http://securitytracker.com/alerts/2004/May/1010314.html

Xdm
Vendor: XFree86 Project
A vulnerability was reported in xdm. The software may open randmon TCP sockets.
Impact: User access via network
Alert: http://securitytracker.com/alerts/2004/May/1010306.html

Mailman
Vendor: GNU [multiple authors]
A vulnerability was reported in Mailman. A remote user may be able to obtain the password of another user.
Impact: Disclosure of authentication information
Alert: http://securitytracker.com/alerts/2004/May/1010283.html

F-Secure Anti-Virus
Vendor: F-Secure
A vulnerability was reported in F-Secure Anti Virus. The software does not detect Sober.D and Sober.G worms in certain cases.
Impact: Host/resource access via network
Alert: http://securitytracker.com/alerts/2004/May/1010279.html

Safari
Vendor: Apple Computer
A vulnerability was reported in the Safari web browser on Mac OS X. A remote user can invoke SSH with command options on the target system. Other browser may also be affected.
Impact: Execution of arbitrary code via network
Alert: http://securitytracker.com/alerts/2004/May/1010267.html

I futuri possibili delle reti wireless
di Salvatore Romagnolo
Il mondo delle tecnologie wireless e' nel caos, un caos creativo, uno di quei momenti nello sviluppo di una tecnologia fondamentale in cui coesistono diverse tendenze, tutte promettenti e tecnicamente ineccepibili, ciascuna, solo o in combinazione con altre, in grado di generare un futuro possibile con luci e ombre.
http://www.apogeonline.com/webzine/2004/06/01/06/200406010601

Apache 1.3: Vulnerabilità Multiple
Vulnerabilità multiple riportata in Apache 1.3 permettono a chi attacca di oltrepassare le restizioni d'accesso, causare denial of service ed eseguire codice arbitrario.
http://www.alground.com/news/news.php?page=336

Vulnerabilità in MPlayer, xine-lib
Chi attacca da remoto fingendosi un RTSP stream server, può eseguire codice con i privilegi dell'utente che esegue il software per lo stream (MPlayer o qualsiasi altro programma che usa le xine-lib). Un altro attacco è indurre l'utente a seguire URL arbitrari o playlist per avere gli stassi risultati.
http://www.alground.com/news/news.php?page=338

"No, fedora non rovina Windows"
Qualche giorno fa è apparsa una notizia intitolata "Fedora rovina Windows?!?" che pero' doveva essere, piu' correttamente, intotalata "Problemi nel kernel 2.6". ZioBudda.net chiede scusa agli utenti Fedora, al progetto Fedora ed agli utenti di fedoraitalia.org che comunque potevano risparmiarsi alcune affermazioni dedicate a questo portale.
http://www.ziobudda.net/Admin/redir_news.php?id=17371

STARTING UP NETWORK SERVICES FROM XINETD xinetd is started on bootup, and listens on ports designated in /etc/xinetd.conf for incoming network connections. When a new connection is made, xinetd starts up the corresponding network service.
http://www.net-security.org/news.php?id=5269

REMOTE BACKUP USING SSH, TAR AND CRON
Are you looking for a solution to backup your data to a remote location?
http://www.net-security.org/news.php?id=5270

GUI ADMINISTRATION WITH KSYSGUARD
This app has absolutely nothing to do with guarding anything. KSysguard lets you manage processes and monitor resources on local or remote systems.
According to the documentation, it can be built on Solaris, BSD, and Linux.
http://www.net-security.org/news.php?id=5291

MANAGING SECURITY FOR MOBILE USERS (PART TWO) Part two of this article completes the discussion and presents ways of providing additional layers of defense to help protect the valuable, mobile data.
http://www.net-security.org/news.php?id=5312

AUTOMATED PENETRATION TESTING WITH CORE IMPACT 4.0 Core Security Technologies today announced a major update to CORE IMPACT, their flagship penetration testing product.
http://www.net-security.org/article.php?id=692

"Cisco getta le basi per le reti IP di prossima generazione"
Cisco Carrier Routing: Cisco Systems getta le basi per la creazione di reti IP di prossima generazione. Questa importante innovazione consente ai carrier di offrire nuovi servizi IP sia all'utenza residenziale che agli uffici di tutte le dimensioni.
http://www.ziobudda.net/Admin/redir_news.php?id=17394

"Anche Slackware scleglie X.org"
Dopo le piu' famose e blasonate distribuzioni Linux, anche la Slackware ha deciso di sostituire XFree86 con X.org. [Il link porta al changelog ufficiale]
http://www.ziobudda.net/Admin/redir_news.php?id=17389

INTEL VUOLE UN BIOS OPEN SOURCE
Il codice alla base del BIOS di nuova generazione sviluppato da Intel, e appoggiato da un nutrito gruppo di produttori, verra' rilasciato sul canale open source per spingerlo al meglio su Linux
URL: http://punto-informatico.it/pi.asp?i=48451

MEMORIE DALL'UNDERGROUND
Cosa ha significato far parte di una crew di appassionati spippolatori attratti da perniciose derive di cracking? Ad anni di distanza, uno dei membri di una crew italiana ricorda la via percorsa
URL: http://punto-informatico.it/pi.asp?i=48448

Bluetooth Security
Un articolo a cura di Gabriele Barni sulla sicurezza del protocollo Bluetooth e dei telefoni cellulari che lo utilizzano.
http://www.securitywireless.info/article_read.asp?id=91

CHROOTING APACHE
"In this article we will look at how to install the Apache Web server in such an environment..."
http://nl.internet.com/ct.html?rtr=on&s=1,xii,1,6fqw,kdvs,l6kx,c929

IPFILTER ON GNU/LINUX: IS IT FINALLY HERE?
"ipfilter now is available for GNU/Linux, but it's not quite ready to replace your current firewall setup..."
http://nl.internet.com/ct.html?rtr=on&s=1,xii,1,ff7l,cb23,l6kx,c929

MANDRAKELINUX ADVISORIES: MOD_SSL, APACHE2, XPCD Three security advisories from MandrakeSoft.
http://nl.internet.com/ct.html?rtr=on&s=1,xmb,1,7wzn,exol,85jl,7pty

DEBIAN GNU/LINUX ADVISORIES: GATOS, JFTPGW, ETHEREAL Three security advisories from the Debian Project.
http://nl.internet.com/ct.html?rtr=on&s=1,xmb,1,hnep,8wxn,85jl,7pty

LINUX: IS SWAP NECESSARY?
"Following recent discussions about tuning swapiness and dynamically allocating swap as needed, a new discussion ensued on the lkml questioning the need for swap altogether when a system has 'sufficient' ram..."
http://nl.internet.com/ct.html?rtr=on&s=1,xmb,1,4zcq,ewpp,85jl,7pty

CLI FOR NOOBIES: SORT OF BRAGGING
"This week we'll look at the sort command, and a couple of options you may not be familiar with..."
http://nl.internet.com/ct.html?rtr=on&s=1,xmb,1,inqd,4h2o,85jl,7pty

Technology
Title: AT&T beefs up cybersecurity tools
Source: ZDNet
Date Written: June 1, 2004
Date Collected: June 2, 2004
AT&T has released a new feature for users of AT&T Internet Protect, its intrusion alert service, designed to combat denial of service (DoS) and distributed denial of service (DDoS) attacks. The new feature, based on technology from Cisco Systems and Arbor Networks, compares discrepancies in network traffic against normal network behaviors, patterns, and protocol compliance. When an attack is detected, it is diverted away from legitimate traffic. A 2003 study by the Computer Security Institute and the Federal Bureau of Investigation named denial of service attacks as the second most expensive computer crime, with average enterprise loss exceeding $1.4 million.
http://zdnet.com.com/2100-1105-5223659.html

Vulnerabilities & Exploits
Title: Security Bug in Linksys Wireless-G Router
Source: Internet News
Date Written: June 2, 2004
Date Collected: June 2, 2004
Cisco's Linksys WRT54G Wireless-G Broadband Router has a flaw that could allow an attacker to gain administrative privileges on vulnerable devices.
Even if the remote administration feature on the device is turned off, the router serves the administration web page on ports 80 and 443, protected only by a weak default password. Secunia rates the flaw as 'moderately critical' and advises users to use a stronger password for administrative access, or restrict access to the interface altogether. Alternatively, the device can be configured to forward traffic on the port to a non-existent server; even if sent to an existent server, forwarding will override the default behavior.
http://www.internetnews.com/infra/article.php/3362321

Multiple Security Roles With Unix/Linux
There are some areas of security where Linux and Unix have some strong wins, and simply fit in better than anything else.
http://www.securityfocus.com/columnists/247

Catching a Virus Writer
With the consumer WiFi explosion, launching a virus into the wild has never been easier and more anonymous than it is today.
http://www.securityfocus.com/columnists/246

grsecurity cessa di essere sviluppato
Da oggi 31 maggio cessa lo sviluppo di grsecurity, la abbastanza nota patch di linux per rafforzare la sicurezza del sistema... che peccato!! Speriamo riescano a trovare in un futuro uno sponsor o qualcuno che porti avanti questo progetto!!
http://www.itvc.net/news_view.asp?id=320

LINUX, CRITICHE AL NUOVO SISTEMA DI DCO
La nuova procedura obbliga chi apporti modifiche al kernel di registrare nome e indirizzo e-mail. Ma non piace a molti
http://www.studiocelentano.it/newsflash_dett.asp?id=7965

"Solaris Open Source"
Finalmente Jonathan Schwartz ammette che Sun sta pensando seriamente al rilascio Open Source del sistema operativo Solaris. Non si sa ancora quando, ma una domanda sorge spontanea: ma non è troppo tardi ?
http://www.ziobudda.net/Admin/redir_news.php?id=17406
Also - http://www.raulken.it/article2562.html&mode=&order=0&thold=0
Also - http://www.nwfusion.com/news/2004/0602suntoop.html

** ARRIVA KORGO, IL GEMELLO DI SASSER ** Più "pestifero", ma con meno possibilità di diffondersi.
>> di Salvatore Aranzulla
http://www.zeusnews.it/news.php?cod=3150
Also - http://software.silicon.com/security/0,39024655,39121085,00.htm
Also - http://www.smh.com.au/articles/2004/06/03/1086203543424.html
Also - http://www.theregister.co.uk/2004/06/03/korgo_worm

Cina, Internet Out
La Cina continua a voler imbrigliare e controllare Internet. Questa volta la scusa per chiudere 16.000 Internet Cafe' e' stata una campagna contro le pubblicita' menzognere. A fine aprile era stata annunciata la chiusura di 8.600 Internet Cafe'...
http://www.raulken.it/article2563.html&mode=&order=0&thold=0

Linux: Sniffing in rete con ettercap
Nel seguente articolo verrà descritto come sniffare all'interno di una rete il traffico proveniente da una particolare macchina.
http://www.raulken.it/article2537.html&mode=&order=0&thold=0

Opera snips phishing lines
Opera has updated its browser to prevent its software been manipulated by would-be fraudsters to display a fake address to surfers.
http://www.theregister.co.uk/2004/06/03/opera_cuts_phishing/

DEBIAN GNU/LINUX ADVISORIES: GALLERY, RSYNC Two security advisories from the Debian Project.
http://nl.internet.com/ct.html?rtr=on&s=1,xpq,1,s85,s9s,85jl,7pty

SLACKWARE LINUX ADVISORIES: MOD_SSL, PHP Two security advisories from Slackware.
http://nl.internet.com/ct.html?rtr=on&s=1,xpq,1,15st,7wim,85jl,7pty

GENTOO LINUX ADVISORY: TLA
"The fixed ebuild proposed in the original version of this Security Advisory did not address all the vulnerabilities of the tla package..."
http://nl.internet.com/ct.html?rtr=on&s=1,xpq,1,djbn,f6d4,85jl,7pty

DKMS 1.90.46 (Pre-2.x)
DKMS (Dynamic Kernel Module Support) is a framework where device driver source can reside outside the kernel source tree so that it is very easy to rebuild modules as you upgrade kernels. This allows Linux vendors to provide driver drops without having to wait for new kernel releases (as a stopgap before the code can make it back into the kernel), while also taking out the guesswork for customers attempting to recompile modules for new kernels. For veteran Linux users it also provides some advantages since a separate framework for driver drops will remove kernel releases as a blocking mechanism for distributing code.
http://freshmeat.net/releases/162791/

Linux Intrusion Detection System 2.2.0pre5 for 2.6.6 (2.6) The Linux Intrusion Detection System (LIDS) is a patch which enhances the kernel's security by implementing a reference monitor and Mandatory Access Control (MAC). When it is in effect, chosen file access, all system/network administration operations, any capability use, raw device, memory, and I/O access can be made impossible even for root. You can define which programs can access specific files. It uses and extends the system capabilities bounding set to control the whole system and adds some network and filesystem security features to the kernel to enhance the security. You can finely tune the security protections online, hide sensitive processes, receive security alerts through the network, and more.
http://freshmeat.net/releases/162786/

PHP 4.3.7
PHP is a widely-used Open Source general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. Its syntax draws upon C, Java, and Perl, and is easy to learn. PHP runs on many different platforms and can be used as a standalone executable or as a module under a variety of Web servers. It has excellent support for databases, XML, LDAP, IMAP, Java, various Internet protocols, and general data manipulation, and is extensible via its powerful API. It is actively developed and supported by a talented and energetic international team.
Numerous Open Source and commercial PHP-based application packages are available.
http://freshmeat.net/releases/162766/

SE L'ANTIVIRUS VA IN CRISI
Symantec Norton AntiVirus 2004 consente l'esecuzione di codice da remoto, in quanto non valida correttamente l'input su controlli ActiveX. Creando una pagina Web con codice opportuno, un aggressore può causare l'esecuzione di codice, o bloccare l'antivirus, di un utente che la visiti. Ulteriori dettagli all'URL http://www.kb.cert.org/vuls/id/312510. La patch è disponibile su LiveUpdate, il servizio di aggiornamento automatico degli antivirus Symantec.

QUATTRO BACHI PER APACHE
Sono state identificate 4 vulnerabilità in Apache 1.3.30 e versioni precedenti. La prima fa sì che le sequenze di escape non vengano filtrate nei log d'errore, consentendo quindi di nascondere porzioni dei log. In mod_digest non veniva verificato il 'nonce' di autenticazione, mentre mod_access non funzionava correttamente su macchine a 64 bit big-endian.
Infine, l'ultima vulnerabilità consente un denial of service teorico.
Ulteriori dettagli agli URL
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174

SE ANCHE OPENBSD FALLISCE
OpenBSD, nelle sue versioni 3.4 e 3.5, consente a un aggressore locale di ottenere privilegi elevati o leggere la memoria del kernel, grazie a una serie di problemi in procfs. Per openBSD 3.4 la patch è disponibile all'URL http://www.openbsd.org/errata34.html. Per OpenBSD 3.5 invece l'URL è http://www.openbsd.org/errata.html#sysvshm. L'advisory originale è disponibile all'URL
http://marc.theaimsgroup.com/?l=openbsd-security-announce&m=108445767103004&w=2

WEB SERVICES: UNA 'GUIDA' PER LA PROTEZIONE Rilasciato dal WS-I un primo draft di un documento indirizzato al tema dell'interoperabilità tra servizi
http://www.nwi.it/idg/networkworld/news.nsf/Newsletter/6C470AAB41A961C5C1256E99004516A9

Wireless Attacks and Penetration Testing (part 1 of 3) By Jonathan Hassell This is the first of a three part series on penetration testing for wireless networks. This installment will detail many common styles of attacks against wireless networks, introduce WEP key-cracking, and then discuss some recent developments in wireless security.
http://www.securityfocus.com/infocus/1783

Malware
Title: Potter-mania fuels pesky virus
Source: BBC
Date Written: June 3, 2004
Date Collected: June 4, 2004
A variant of the Netsky Internet worm, Netsky.P, which has been in circulation since late March 2004, is making a strong comeback this week by exploiting excitement about the release of the latest Harry Potter movie, 'Harry Potter and the Prisoner of Azkaban'. Netsky.P disguises itself as a Harry Potter game or book and spreads via e-mail and file-sharing networks, such as Kazaa. The worm uses a common social engineering technique and targets mainly children, who often know little about cybersecurity.
According to anti-virus firm Sophos, Netsky.P was the second most common virus in May 2004, but numerous copies of the virus have begun to re-appear this week.
http://news.bbc.co.uk/2/hi/technology/3773443.stm
Also - http://news.com.com/Harry+Potter+and+the+Trojan+of+doom/2100-7349_3-5225792.html
Also - http://www.theregister.co.uk/2004/06/04/netsky-p_harryp
Also - http://www.vnunet.com/news/1155604
Also - http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci968651,00.html

Malware
Title: New Worm Targets Old Windows Flaws
Source: PC World
Date Written: June 4, 2004
Date Collected: June 4, 2004
Anti-virus companies, on June 3, 2004, warned users about a new blended threat Internet worm. The new worm, named Plexus or Explet, is rated as a 'moderate' threat by Moscow-based Kaspersky Labs. Plexus could become a problem because it uses three different methods to spread - it spreads via e-mail, file-sharing networks, and by automatically exploiting the RPC DCOM and LSASS vulnerabilities in Microsoft Windows systems. According to Kaspersky Labs, the worm was written using source code from the earlier MyDoom worm. Plexus also opens a backdoor on infected systems.
http://www.pcworld.com/news/article/0,aid,116391,00.asp
Also - http://www.theregister.co.uk/2004/06/03/plexus_worm
Also - http://www.techweb.com/wire/story/TWB20040603S0007

Vulnerabilities & Exploits
Title: Attack of the bandwidth-hogging hackers
Source: Security Focus
Date Written: June 2, 2004
Date Collected: June 4, 2004
A group of Swiss security researchers from the Ecole Polytechnique Federale de Lussanne (EPFL) has discovered a flaw in wireless LAN (local area
network) systems that could allow a hacker to "drastically increase" his share of the available bandwidth on a network. The flaw could cause problems for hotspot operators offering limited amounts of bandwidth. Additional bandwidth can be garnered by modifying MAC protocol parameters or protocol timers, misusing collision-avoidance mechanisms such as the Net Allocation Vector, and selectively scrambling other users' frames. Attacks using such techniques have so far not been discovered in the wild.
http://www.securityfocus.com/news/8810

Vulnerabilities & Exploits
Title: Opera Patches URL-Spoofing Flaw
Source: Internet News
Date Written: June 3, 2004
Date Collected: June 4, 2004
On June 3, 2004, Opera Software, maker of a popular alternative web browser, released Opera 7.51 to fix a security vulnerability that could facilitate so-called online phishing attacks by making the browser show a fake address in its address bar. The flaw, which was discovered in May by Israel-based security consultants GreyMagic, is in the 'Shortcut Icon' feature of Opera versions 7.50 and prior. This is the second significant URL-spoofing vulnerability to be discovered this year. A similar flaw in Microsoft's Internet Explorer (IE) web browser was fixed several months ago.
http://www.internetnews.com/dev-news/article.php/3362991
Also - http://www.theregister.co.uk/2004/06/03/opera_cuts_phishing

g00d reading! 'n' bye
Security News MainTainer:

The Jackal a.k.a. jAcKallO < jackal [at] capitanlug.it >

(AreaSessantuno Member) / (SpiPPolatori Collaborator) (HackerAlliance Member) / (Security News MainTainer) (Socio fondatore e Membro del CapitanLUG.iT)