Security Digest 3.05

Table Of Contents

Security Headlines

How Much Damage Did Mitnick Do?
Wired News

The Light that Cracks the Code
Wired News

Is There a Snoop on Your Site?
Forbes Digital Tool

Math professor wins landmark crypto ruling
News.com

Malicious Hacker steals Hotmail passwords
News.com

IT Embracing Security Policies
PCWeek

Netmarket Exposes Customer Order Data
News.com

Security News

99-05-03 - ICQ Webserver problems continue

Though a patch for the last month’s ICQ webserver problems has now been made available by Miribalis, the latest version of the ICQ mini-webserver contains a small bug, allowing remote users to test for the presence of (but not read) a file on the local system. Briefly, when the remote user attempts to traverse to previous levels of the directory hierarchy, a 404 Forbidden message will be presented if the file being accessed exists. If no file is present, the standard 403 message is issued.

99-05-04 - New Crypto Advances

Adi Shamir, co-developer of the RSA algorithm and one of the world’s leading cryptographers, has announced the design of a device that may allow code breakers to decipher even 512-bit RSA keys in the near future.

The paper, announced at EuroCrypt ’99 in Prague, describes a device called twinkle. Twinkle uses dedicated opto-electronic hardware to attack the factoring problem, producing an estimated threefold decrease in the time necessary to factor a large prime.

A detailed analysis of this approach can be found at RSA Labs.

99-05-05 - New NT Bastion Host Paper

Stefan Norberg, of HP Consulting Sweden, has written a paper entitled Building a Windows NT bastion host in practice. This paper gives detailed instructions on configuring Windows NT for use in an exposed, or bastion host environment. The paper is available from HP Sweden.

99-05-05 - FTP Serv-U Buffer Overflows

FTP Serv-U 2.5, the popular Windows-based FTP server software, contains buffer overflows in many server commands. These buffer overflows can easily cause denial of service conditions, and may be exploitable by a remote user. An updated version has been released, and is available from Deerfield.

99-05-07 - Constitutional Crypto Challenge Succeeds

In a landmark ruling in the US Crypto debate, the Ninth Circuit Court of Appeals ruled in favor of Dan Bernstein in his challenge against the Justice Department. The ruling upheld his right, under First Amendment protection, to post the source code for cryptographic software on his web site. The details of the ruling are available online.

99-05-07 - Patch now available for Oracle Hole

Oracle has released a patch for the recent oratclsh setuid issues. In preparing for this patch, Oracle also fixed several other potential security holes. Oracle Metalink customers may retrieve the patch (in the form of a shell script) from Oracle. Other users may find it in the BugTraq archives.

99-05-11 - SP5 Fixes Source Routing

With the release of Windows NT Service Pack 5, Microsoft customers can finally disable source routing in the TCP/IP Stack. For details, see Microsoft Knowledge Base article Q217336. A number of other security issues are also corrected in SP5.

This Month’s Advisories

99-05-05 - NAI AntiVirus Update Problem

About the Digest

Codetalker Digest was a monthly summary of security related news, information, and advisories collected throughout the month by Codetalker Communications, Inc.

About Codetalker

Codetalker Communications, Inc. was the creation of Calgary-based systems professionals Kjell Wooding, Evan Spence, Steve McQuade, Chris Grant, and Mat Hepton. It was born out of the need for a security focused consulting and development company in Western Canada.

Codetalker took its name from the Navajo codetalkers, Navajo radiomen employed by the US Marine Corps during World War II. Because they spoke a rather cryptic and slangy version of the Navajo language—one that was difficult for even uninitiated Navajos to understand—codetalker communications were essentially impossible for the Enemy to decode.

Codetalker Communications, Inc. was primarily focused in the areas of system and network security, including Internet and Intranet-related issues.

Disclaimer

By its very nature, security-related information can often be hard to come by. Many vendors (and users) do not subscribe to an open policy when it comes to releasing security information. This is unfortunate, as the policy of “security through obscurity” has repeatedly proven itself as a dangerous and highly fallible posture. The information contained in this digest came from a variety of publicly accessible sources. Wherever possible, Codetalker Communications, Inc. tried to deliver the most accurate information posssible, however, it cannot be held responsible for errors or ommissions contained herein. If you are aware of any errors in this digest, please contact Kjell Wooding .

Redistribution

Codetalker Digest is copyright © 1997-99, Codetalker Communications, Inc. It may be freely redistributed provided that this copyright notice remains intact, and no fee is charged for its distribution.

pintday.org » Fresh every Tuesday.