Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[ISN] The weakest link in the chain
From: InfoSec News (isnC4I.ORG)
Date: Sat Apr 07 2001 - 03:46:15 CDT
UNIX SECURITY --- April 05, 2001
Published by ITworld.com -- changing the way you view IT
* Human nature remains the most dangerous vulnerability.
* Web Security Q&A: Which OS offers the best security?
Advisory: Wetware v2001 Still Vulnerable to Common Attacks
By Carole Fennelly and Jay D. Dyson
A security vulnerability exists that affects every computer system in
the world -- regardless of hardware or software. This vulnerability
extends worldwide; it's massive, severe, and just plain scary. Despite
years of modifications and real-time testing, no patch is currently
available. First discovered in a place known as "The Garden of Eden,"
a serpent convinced a woman called Eve that eating an apple would
provide her knowledge of good and evil. While knowledge of good and
evil was indeed imparted, differentiating between the two was
apparently not part of the package.
Consequently, human nature is fallible and cannot be changed. We make
mistakes, and we can be manipulated to circumvent security measures.
No matter what security devices are installed on an infrastructure,
any human can override it. After all, no one wants to court a
Terminator- esque scenario where humans relinquish control to a
machine. Some recent events highlight this fact rather dramatically.
Microsoft Digital Certificates
VeriSign issued two digital certificates in Microsoft's name on
January 30 and January 31. The certificates are used to verify that
Microsoft actually supplied a piece of software, rather than someone
impersonating Microsoft. Unfortunately, VeriSign issued the
certificates to a person pretending to represent Microsoft. D'oh!
Microsoft Security Bulletin
Microsoft Warns of Hijacked Certificates
Sure mistakes happen, but it took six weeks for them to catch this one.
Better late than never, I suppose.
High school dropout Abraham Abdallah used the Web and social
engineering techniques to steal money from celebrities. Unbelievable!
A con artist actually used the Internet to pull off a scam. I suppose
they will be calling this so-called "cyber-criminal" a hacker next.
Government Accuses Busboy of Internet Fraud Scheme
Ironic, isn't it? Wall St. firms spend millions of dollars on
firewalls and security systems to prevent cyber-fraud, but not even a
hundred firewalls can stop a good con artist. Fortunately, the firms
involved did not rely solely on technical devices to prevent and
DNS Lion Worm
The SANS Institute recently discovered a new Linux worm that exploits
a known vulnerability in BIND DNS versions 8.2, 8.2-P1, 8.2.1, and
8.2.2- Px (http://www.sans.org/y2k/lion.htm). This very nasty worm
goes though networks looking for vulnerable systems to exploit and
sends user account data to an address in China. Even after the system
is patched, that data still has been compromised.
The BIND vulnerability Lion exploits is not new. In fact, CERT
reported this back on January 29, 2001.
CERT Advisory CA-2001-02, Multiple Vulnerabilities in BIND
CERT considered this so serious, they even held a press conference so
people would pay attention to it. While conscientious administrators
immediately patched their DNS servers, many did not. Men & Mice, a
Nordic company specialising in DNS solutions, queried the DNS servers
of all Fortune 1000 companies on the Internet. As of February 21,
2001, 12.4% were *still* vulnerable!
The Lion worm's success is a direct result of organizations neglecting
to patch their vulnerable servers, relentlessly proving their
incompetence regarding patching. Sure one could argue that these
programming errors should be fixed before software ships, but the fact
remains that a solution has been available for some time now; yet here
we are in April and thousands of servers remain vulnerable.
A security structure is only as secure as the weakest link, and social
engineering remains the easiest way to compromise security. We are a
long way from patching for this one and even when we do, a human would
have to install it.
About the author(s)
Carole Fennelly is a partner in Wizard's Keys Corporation, a company
specializing in computer security consulting. She has been a Unix
system administrator for almost 20 years on various platforms, and
provides security consultation to several financial institutions in
the New York City area. Visit her site (http://www.wkeys.com/) or
reach her at carole.fennellyunixinsider.com.
Jay D. Dyson is a senior security consultant for OneSecure, Inc., a
company specializing in managed network and host security services.
He also serves as a part-time consultant on security issues for the
National Aeronautics and Space Administration in Pasadena. He has
been a system administrator for over 15 years on various platforms.
DoubleClick admits servers were hacked
CIAC's new hoax page
The Psychology of Social Engineering
Microsoft updates Windows to combat VeriSign glitch
Mobile security flaw delivers yet another blow to IPv6
Web Security Q&A
Delve into the gory technical details of Web security in this
discussion for security pros (and newbies) of all stripes.
* For editorial comments, write Andrew Santosusso, Associate Editor,
Newsletters at: andrew_santosussoitworld.com
* For advertising information, write Dan Chupka, Account Executive at:
* For recruitment advertising information, write Jamie Swartz, Eastern
Regional Sales Manager at: jamie_swartzitworld.com or Paul Duthie,
Western Regional Sales Manager at: paul_duthieitworld.com
* For all other inquiries, write Jodie Naze, Product Manager,
Newsletters at: jodie_nazeitworld.com
ISN is hosted by SecurityFocus.com
To unsubscribe email LISTSERVSecurityFocus.com with a message body of