General discussion

NEWS - February 11, 2005

Flaw in mail-list software leaks passwords
Published: February 10, 2005, 2:11 PM PST
By Robert Lemos
Staff Writer, CNET

A previously unknown vulnerability in Mailman, a popular open-source program for managing mailing lists, has led to the theft of the password file for a well-known security discussion group.

The theft, discovered this week and reported in an announcement to the Full Disclosure security mailing list on Wednesday, casts uncertainty on the security of other discussion groups that use the open-source Mailman package. By specially crafting a Web address, an attacker can obtain the password for every member of a discussion group.

"Anyone with a Web browser can download a file off a vulnerable system--it's (easy to do)," said John Cartwright, co-founder and manager of the Full Disclosure mailing list. The attack, known as a remote directory traversal exploit, occurred on Jan. 2, according to Cartwright's investigation. "As far as our server goes, there is no evidence that any other files were accessed using this flaw."

more here

Discussion is locked

Reply to: NEWS - February 11, 2005
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - February 11, 2005
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
"Google hacking" digs up sensitive material

Hackers have found a handy tool to take control of bank accounts, tap into corporate computer networks and dig up sensitive government documents.

It's called Google.

The Internet's most popular search engine can find everything from goldfish-care tips to old classmates in the blink of an eye, but it's equally adept at finding caches of credit-card numbers and back doors into protected databases.

Google Inc. and other search providers create an inventory of the World Wide Web through an automated process that can uncover obscure Web pages not meant for the public.

"If you don't want the world to see it, keep it off the Web," said Johnny Long, a Computer Sciences researcher and author of "Google Hacking for Penetration Testers."

More in

- Collapse -
Study: Anti-spyware market to boom in 2005

Published: February 11, 2005, 11:44 AM PST
By CNET Staff

This may be a good year to be an anti-spyware vendor.

Sixty-five percent of businesses--big and small--surveyed by Forrester Research said they plan to put money into protecting their systems from malicious and prying software programs in 2005.

Technology decision makers from 185 North American companies of all sizes participated in the survey. While 69 percent of large enterprises said they would purchase anti-spyware tools this year, only 53 percent of small and medium businesses said they'd go for such protection, it found.

The study exposed several cracks in firms' anti-spyware strategy. Almost 40 percent of respondents failed to put a number to the total number of their machines that have been infected. According to the rest, about 17 percent of their systems had already suffered from spyware, a number Forrester expects to climb to 25 percent within 12 months.

more here

- Collapse -
This week in Web threats

Published: February 11, 2005, 10:05 AM PST
By Steven Musil
Staff Writer, CNET

The Internet is always good for a little fear and loathing.

Internet vigilantes have launched a 48-hour bandwidth attack against spammers who allegedly defraud people online.

The 419 Flash Mob, supported by Artists Against 419, has declared war on criminals who host fake bank Web sites in the hope of luring victims to deposit money there. According to Artists Against 419's Web site, "This flash mob is in celebration of Chinese New Year...Our aim is to shut down eight fake bank web sites in less than 48 hours!"

So-called 419 scams, also known as advance fee fraud, consist of e-mails, letters and faxes asking for help to recover a large sum of money from a bank, in return for a share of the loot. Some of these scammers have now graduated to running their own fake banking Web sites.

Meanwhile, virus writers have created a malicious program that can disable Microsoft's new anti-spyware application. Antivirus experts, who are calling the Trojan "Bankash-A," say it is the first piece of malicious software to attack Windows AntiSpyware, which is still in beta.

more here

- Collapse -
Liberty Alliance update steps up security

Published: February 11, 2005, 10:20 AM PST
By Dawn Kawamoto
Staff Writer, CNET

The Liberty Alliance has released the second version of its standards for identity verification for Web services.

The Internet security consortium said on Friday that the public draft release of ID-WSF 2.0 extends its technical specifications to include support for SAML 2.0, the second version of Security Assertion Markup Language. The update aims to make it easier to communicate identity information with software based on other, open Web services standards, such as those from OASIS.

"Successful identity management has become a critical factor in application development and the necessary foundation for deploying all Web services," George Goodman, president of Liberty Alliance's management board, said in a statement.

more here

CNET Forums

Forum Info