Archive for the ‘security’ Category.
Virge 2.05
Virge 2.05. A mail scanner, to be used with Sendmail. [freshmeat.net]
Ssh Provides Free Internet Security To Univeristy Of Oregon
Ssh Provides Free Internet Security To Univeristy Of Oregon.
I’m not sure why this is news; it appears no different from the site licensed SSH has been offering to any University, including UR.
[via Moreover Computer security news]
insidious adware
A particularly insidious kind of spam. It looks like a friend sent a greeting card. Click on the link and you go to a page where it says you need to upgrade in order to get the card. They walk you through the install process. Don’t do it — this puts code on your machine, certainly adware, maybe spyware, maybe worse. Now for experienced programmers this is pretty transparent, but what about less technical users. Oy what a mess. What does the future hold? [Scripting News]
Hacking IIS — how sweet it is
The Register, Aug 11 2001 12:11PM ET:
Hacking IIS — how sweet it is.
We’ve looked over a few recent credit-card database compromises brought to our attention by CardCops (formerly AdCops), an organization which tries to get the straight dope on e-commerce hacks directly from the blackhat community to better inform merchants of threats to their systems.
The most recent victims CardCops has seen are on-line perfumery StrawberryNet.com; computer retailer mWave.com; and a very large Texas ISP called Stic.net, which gave up many thousands of credit card details, along with the records of 500 businesses and their FTP logins. All of the victims are running IIS 4 or 5 over Win-NT or 2K.
Not surprisingly, Microsoft IIS is quite popular among carders, because its got lots and lots of holes, and because its often used by people who lack the technical know-how to bung them. It’s easy to use, which makes it particularly attractive for those who want to break into e-commerce on a shoestring, and particularly attractive as well for those who just want to break in.
[via Computer security news]
Third Version Of Code Red Detected
Third Version Of Code Red Detected. ZDNet Aug 10 2001 10:24AM ET [Computer security news]
Intern proves WLAN encryption protocol vulnerable
EE Times: Intern proves WLAN encryption protocol vulnerable. Stubblefield, working as an intern at AT&T Labs with AT&T research staff members John Ioannidis and Aviel Rubin, used the $100 Prism II-based Linksys PC card and a Linux driver that could capture encrypted WEP packets to perform the attack.
Links:
- The attack, described in a recent paper by Fluhrer, Mantin & Shamir , is the most deadly to date on the embattled protocol, allowing for the rapid retrieval of the network key through passive means — regardless of the key bit length.
- A copy of Stubblefield’s report can be found online through the Rice University Web site.
Quote from Stubblefield’s report:
Given this attack, we believe that 802.11 networks should be viewed as insecure.
We recommend the following for people using such wireless networks.
- Assume that the link layer offers no security.
- Use higher-level security mechanisms such as IPsec [3] and SSH [8] for
security, instead of relying on WEP.- Treat all systems that are connected via 802.11 as external. Place all access
points outside the firewall.- Assume that anyone within physical range can communicate on the network
as a valid user. Keep in mind that an adversary may utilize a sophisticated
antenna with much longer range than found on a typical 802.11 PC card.
[via Tomalak’s Realm]
Trophie 1.01
Trophie 1.01. A daemon which uses TrendMicro libvsapi for virus scanning. [freshmeat.net]
