|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Threat Watch 135
From: Security Threat Watch Newsletter (NetworkComputing
update.networkcomputing.com)
Date: Mon Jun 12 2006 - 13:02:50 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Security Threat Watch
Number 135
Monday, June 12, 2006
Created for you by Network Computing & Neohapsis
Are stronger password policies a route to better security or a source
for greater vulnerability? As companies become increasingly security
conscious, a greater emphasis exists on password strength. Although weak
passwords remain one of the top means for exploitation among computers
and network services, substantial costs tend to be associated with
strengthening password security; and, the average user often sacrifices
stronger passwords for efficiency, usability and recollection. The
byproducts of these sacrifices may ultimately lead to insecurity, as
users are forced to write down passphrases or, worse, automate password
entry to remember passwords used by systems that enforce stronger
security schemes. These users may still be meeting their company's
defined security requirements, but they are, potentially, opening holes
and creating greater vulnerabilities by storing passwords in
easy-to-find, readable locations.
Solutions to this password paradox include hardware authentication
tokens, which allow users to generate single-use passwords from
key-chain tokens. These token-based passwords expire once used and
require users to remember little (if any) password information; they
only need to remember how to press a button on the key-chain token
device to acquire their next password. Other solutions include the use
of biometics, such as fingerprint or retina analysis, to authenticate.
Biometrics, if used properly, are often considered very secure and
require even less user-interaction or password recollection than tokens.
This is not to say, however, that biometrics or hardware tokens are
flawless. Security researchers have shown methods for bypassing some
biometric systems; for example, using gelatin fingers to spoof
fingerprints. On the other hand, the security of hardware tokens is
completely compromised should users ever misplace or lose their tokens.
Are these risks any more threatening than poorly chosen, easily guessed
passwords? Maybe it's just trading one set of problems (poor password
management) for another (poor password replacement).
Of course, implementing either of these solutions can add complications
to a company's operations. But both may prove far more valuable in terms
of overall security. In the end, password security comes down to meeting
the enforced requirements without introducing new security breaches,
given the needs and expectations of employees and users.
Until next issue,
- The Neohapsis Security Threat Watch Team
--- Advertisement
-----------------------------------------------------
This issue sponsored by EC-Council's CEH Certification.
Certified Ethical Hacker is the most practical security
certification you can give your staff. Hire a Certified Ethical
Hacker, or send your staff to earn the certification. For a free
copy of "The 7 Habits of a Highly Malicious Hacker" visit:
--- TechCareers: The Job Hunt And Age Discrimination
-----------------------------------------------
By Rusty DAversa, TechCareers.com
Fighting discrimination is all about proving your value to the hiring
manager, says a career expert.
http://www.techcareers.com/content/article.asp?articleid=185303267
--- Advertisement
-----------------------------------------------------
NWC Podcasts
Listen to Network Computing's editors talk about today's most pressing
enterprise challenges with some of the IT industry's leading experts.
Tune in as we cover topics including security, collaboration,
convergence and more.
http://www.networkcomputing.com/podcasts
--- New Vulnerabilities
-----------------------------------------------
Below is a list of new vulnerabilities announced this week.
Vulnerabilities considered to be 'critical' involve highly-deployed
software, or carry a high-risk of system compromise. Note that
vulnerabilities not highlighted may still be of critical severity
to your environment.
**** Highlighted critical vulnerabilities ****
Asterisk 1.2.9, 1.0.11: remote DoS
**** Newly announced vulnerabilities this week ****
____Windows____
AutoMate 6.1.0: local overflow
http://archives.neohapsis.com/archives/bugtraq/2006-06/0121.html
Mathcad 13.1: authentication bypass
http://archives.neohapsis.com/archives/bugtraq/2006-06/0076.html
Microsoft Internet Explorer 6 SP2: remote DoS
http://archives.neohapsis.com/archives/bugtraq/2006-05/0794.html
Microsoft NetMeeting 3.01: remote DoS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0040.html
Syworks SafeNET: remote DoS
http://archives.neohapsis.com/archives/bugtraq/2006-05/0801.html
____Linux____
Asterisk 1.2.9, 1.0.11: remote DoS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0015.html
____Network Devices____
D-Link DWL-2100: information disclosure
http://archives.neohapsis.com/archives/bugtraq/2006-06/0033.html
____CGI____
ASPScriptz Guest Book 2.0: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-05/0806.html
Babykatmedia vSCAL, vREAL: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0060.html
Back-end 0.7.2.1: remote PHP file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-06/0078.html
BloggIT 1.01: remote command execution
http://archives.neohapsis.com/archives/bugtraq/2006-06/0025.html
Bookmark4U 2.0: remote PHP file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-05/0779.html
Calendar Express 2: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-06/0054.html
Chemical Directory: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0061.html
CoolForum 0.8.3: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-05/0749.html
CyBoards PHP Lite 1.25: remote PHP file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-05/0783.html
Dmx Forum 2.1a: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-05/0799.html
Docebo CMS 3.0.3: remote PHP file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-06/0108.html
http://archives.neohapsis.com/archives/bugtraq/2006-06/0109.html
Docebo Kms 3.0.3: remote PHP file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-06/0113.html
http://archives.neohapsis.com/archives/bugtraq/2006-06/0116.html
DokuWiki PHP: remote code execution
http://archives.neohapsis.com/archives/bugtraq/2006-05/0793.html
DotClear 1.2.4: remote PHP file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-05/0758.html
DreamAccount 3.1: remote PHP file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-05/0795.html
ESTsoft InternetDISK 2006/04/19: remote code execution
http://archives.neohapsis.com/archives/bugtraq/2006-05/0802.html
Easy Ad-Manager: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0062.html
Ez Ringtone Manager: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0069.html
FunkBoard CF0.71: remote PHP file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-05/0791.html
GANTTy 1.0.3: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0014.html
GUESTEX 1.0: remote command execution
http://archives.neohapsis.com/archives/bugtraq/2006-06/0070.html
HostAdmin 3.1: remote PHP file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-05/0796.html
Kmita FAQ 1.0: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-05/0787.html
LabWiki 1.0: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-05/0786.html
LifeType 1.0.4: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-05/0759.html
LocazoList Classifieds 1.05e: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-05/0753.html
Mafia Moblog 6: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-06/0059.html
MiraksGalerie 2.62: remote PHP file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-06/0066.html
MobeSpace 2.0: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0115.html
MyBB 1.1.2: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0042.html
NPDS 5.10: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2006-06/0077.html
OkMall 1.0: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0101.html
PBL Guestbook 1.31: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0057.html
PHP-Nuke 7.9: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0079.html
Partial Links 1.2.2: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2006-06/0007.html
Particle Gallery 1.0: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2006-06/0006.html
ParticleSoft Whois 1.0.3: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0008.html
ParticleSoft Wiki 1.0.2: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0010.html
Pixelpost 1-5rc1-2: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-05/0746.html
Rumble 1.02: remote PHP file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-05/0781.html
SelectaPix 1.31: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2006-06/0120.html
Tikiwiki 1.9.3.2: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0072.html
TinyMuw 1.0: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0122.html
TinyPHP forum 3.6: remote PHP file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-06/0026.html
ViArt Shop 2.5.5: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0063.html
Vice Stats 0.5b: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-06/0038.html
Xtreme Downloads 1.0: remote PHP file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-06/0002.html
aWebNews 1.0: remote file viewing
http://archives.neohapsis.com/archives/bugtraq/2006-06/0046.html
cms-bandits 2.5: remote PHP file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-06/0071.html
dotWidget 1.0.6: remote PHP file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-05/0755.html
ewsEngine 1.5.0: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-05/0792.html
i.List 1.5: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0065.html
iFoto 0.20-06/06/06: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0103.html
integramod portal: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0089.html
mole.com.ua Booking Script: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0111.html
myNewsletter 1.1.2: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2006-05/0803.html
phazizGuestbook 2.0: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0104.html
phpBB2: remote PHP file inclusion
http://archives.neohapsis.com/archives/bugtraq/2006-05/0754.html
scriptsez.net E-Dating: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0067.html
shoutcast: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0082.html
____Cross Platform____
Quake 3 engine (1.32c / rev 795): remote overflow
http://archives.neohapsis.com/archives/bugtraq/2006-05/0778.html
VMware ESX 2.5.2: XSS
http://archives.neohapsis.com/archives/bugtraq/2006-05/0771.html
gdm 2.8: privilege escalation
http://archives.neohapsis.com/archives/bugtraq/2006-06/0087.html
libgd 2.0.33: local DoS
http://archives.neohapsis.com/archives/bugtraq/2006-06/0018.html
spamassassin 3.12: remote command execution
http://archives.neohapsis.com/archives/bugtraq/2006-06/0036.html
--- Patches and Updates
-----------------------------------------------
The following contains a list of vendor patches and updates released
this week.
____Linux____
Debian > DSA 1087-1: PostgreSQL
http://archives.neohapsis.com/archives/bugtraq/2006-05/0747.html
Debian > DSA 1088-1: centericq
http://archives.neohapsis.com/archives/bugtraq/2006-05/0750.html
Debian > DSA 1089-1: freeradius
http://archives.neohapsis.com/archives/bugtraq/2006-05/0756.html
Debian > DSA 1090-1: spamassassin
http://archives.neohapsis.com/archives/vendor/2006-q2/0090.html
Debian > DSA 1091-1: TIFF
http://archives.neohapsis.com/archives/vendor/2006-q2/0091.html
Debian > DSA 1092-1: MySQL
http://archives.neohapsis.com/archives/vendor/2006-q2/0092.html
Debian > DSA 1093-1: xine-ui
http://archives.neohapsis.com/archives/vendor/2006-q2/0093.html
Debian > DSA 1094-1: gforge
http://archives.neohapsis.com/archives/vendor/2006-q2/0094.html
Fedora > FLSA-2006:189137-1: Mozilla
http://archives.neohapsis.com/archives/bugtraq/2006-06/0044.html
Fedora > FLSA-2006:189137-2: Firefox
http://archives.neohapsis.com/archives/bugtraq/2006-06/0053.html
Fedora > FLSA-2006:190777: X.org
http://archives.neohapsis.com/archives/bugtraq/2006-06/0048.html
Fedora > FLSA-2006:190884: squirrelmail
http://archives.neohapsis.com/archives/bugtraq/2006-06/0052.html
Fedora > FLSA-2006:190941: IPSec tools
http://archives.neohapsis.com/archives/bugtraq/2006-06/0050.html
Gentoo > GLSA200606-01: Opera
http://archives.neohapsis.com/archives/bugtraq/2006-06/0045.html
Gentoo > GLSA200606-02: shadow
http://archives.neohapsis.com/archives/bugtraq/2006-06/0021.html
Gentoo > GLSA200606-03: Dia
http://archives.neohapsis.com/archives/bugtraq/2006-06/0035.html
Gentoo > GLSA200606-04: Tor
http://archives.neohapsis.com/archives/bugtraq/2006-06/0043.html
Gentoo > GLSA200606-05: Pound
http://archives.neohapsis.com/archives/bugtraq/2006-06/0037.html
Gentoo > GLSA200606-06: AWStats
http://archives.neohapsis.com/archives/bugtraq/2006-06/0064.html
Gentoo > GLSA200606-07: Vixie Cron
http://archives.neohapsis.com/archives/bugtraq/2006-06/0098.html
Gentoo > GLSA200606-08: WordPress
http://archives.neohapsis.com/archives/bugtraq/2006-06/0119.html
Mandriva > MDKSA-2006:095: libtiff
http://archives.neohapsis.com/archives/linux/mandrake/2006-q2/0105.html
Mandriva > MDKSA-2006:096: openldap
http://archives.neohapsis.com/archives/linux/mandrake/2006-q2/0106.html
Mandriva > MDKSA-2006:097: MySQL
http://archives.neohapsis.com/archives/linux/mandrake/2006-q2/0107.html
Mandriva > MDKSA-2006:098: PostgreSQL
http://archives.neohapsis.com/archives/linux/mandrake/2006-q2/0108.html
SUSE > SUSE-SR:2006:013: phpMyAdmin, gdm
http://archives.neohapsis.com/archives/vendor/2006-q2/0096.html
SUSE >SUSE-SA:2006:030: PostgreSQL
http://archives.neohapsis.com/archives/vendor/2006-q2/0095.html
Trustix > TSLSA-2006-0032: kernel, PostgreSQL
http://archives.neohapsis.com/archives/bugtraq/2006-05/0789.html
Ubuntu > USN-289-1: tiff vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2006-06/0086.html
Ubuntu > USN-291-1: FreeType vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2006-06/0088.html
Ubuntu > USN-292-1: binutils vulnerability
http://archives.neohapsis.com/archives/bugtraq/2006-06/0106.html
Ubuntu > USN-293-1: gdm vulnerability
http://archives.neohapsis.com/archives/bugtraq/2006-06/0107.html
Ubuntu > USN-294-1: courier vulnerability
http://archives.neohapsis.com/archives/bugtraq/2006-06/0099.html
Ubuntu > USN-295-1: xine-lib vulnerability
http://archives.neohapsis.com/archives/bugtraq/2006-06/0096.html
____Cross Platform____
MySQL 5.1.11-beta: SQL tampering
http://archives.neohapsis.com/archives/mysql/2006-q2/2330.html
http://archives.neohapsis.com/archives/mysql/2006-q2/2332.html
--- Advertisement
-----------------------------------------------------
This issue sponsored by EC-Council's CEH Certification.
Certified Ethical Hacker is the most practical security
certification you can give your staff. Hire a Certified Ethical
Hacker, or send your staff to earn the certification. For a free
copy of "The 7 Habits of a Highly Malicious Hacker" visit:
--- Sign Off
----------------------------------------------------------
If this e-mail was passed to you, and you would like to begin receiving
our free security e-mail newsletter on a weekly basis, we invite you to
subscribe today by forwarding this message to [subscribe_stwupdate.networkcomputing.com].
Or you can subscribe directly here:
http://www.networkcomputing.com/go/stw.jhtml
To manage all aspects of your subscription and newsletter account,
simply use the URL below. You'll need your e-mail address and
password to log in. If you don't have your password, you can generate
a new one using the same URL. Once logged in, you can change your
e-mail address and password as well as select specific platforms for
which you'd like to receive information on patches and vulnerabilities.
If you have any questions regarding this system, please don't hesitate
to e-mail us at stwnwc.com.
http://stwpref.update.networkcomputing.com/CMP/NWC/prefctr.asp
Put Us On Your White List
Don't let an over-eager e-mail filter bounce the Network Computing
Security Threat Watch newsletter! Our address:
NetworkComputingupdate.networkcomputing.com
needs to be in your address book or on your anti-spam white list. Ask your
admin or ISP how to do this, or check your anti-spam utility documentation.
Important subscription contacts:
CMP Media LLC
600 Community Drive
Manhasset, NY 11030
Unsubscribe to Network Computing's newsletters.
http://www.networkcomputing.com/newsletters/unsubscribe.html
Sign up for your own issue of this newsletter.
http://www.networkcomputing.com/newsletters/subscriptions.html
Subscribe to Network Computing's newsletters.
http://www.networkcomputing.com/newsletters/subscriptions.html
Still not receiving your own FREE subscription to Network Computing
magazine?
http://networkcomputingsubscriptions.com/customerservice/
ADDITIONAL SUBSCRIPTION CONTACT:
Please send an e-mail message to mailto:newsletterscmp.com if you need
assistance changing your e-mail address, unsubscribing from this
newsletter, or require additional assistance with your subscription.
Please be sure to include the name of this newsletter in your message.
Missed an issue? You can find all back issues of Security Threat Watch
(as well as Security Alert Consensus and Security Express) online.
http://archives.neohapsis.com/
Note: To better serve you we use dynamic URLs within our advertisments,
which allow us to see how many readers click on a given ad. We do not
share this information, or your personal information, with any outside
party. Concerned about the privacy of your information relative to these
tracking URLs? Please refer to our privacy policy.
http://www.doubleclick.net/us/corporate/privacy
We'd like to know what you think about the newsletter and what
information you'd like to see in future editions. E-mail your comments
to (stwnwc.com).
To unsubscribe from this newsletter, forward this message to
[unsubscribe_stwupdate.networkcomputing.com].
Copyright (c) 2006 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com). Powered by Neohapsis Inc., a
Chicago-based security assessment and integration services consulting
group (infoneohapsis.com | http://www.neohapsis.com/).
This message powered by DARTmail
http://www.doubleclick.net/us/corporate/privacy
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]