SecuritySearch.Net Vulnerability Report - February 25, 2000
Security Search Engine
Here are the top vulnerabilities, security news and top sites added to
SecuritySearch.Net in the past week. Feel free to forward this e-mail on to
a colleague or friend. If you wish to subscribe, please follow the
instructions at the end of this e-mail.
=================================================================
Sponsored by VeriSign - The Internet Trust Company
=================================================================
Secure Your Networks from DDOS Attacks!
Even if you have all the right tools, you might not have them installed
properly. Make sure your firewall is safe and secure from different types of
attacks. Download Firewall HealthCHECK, a FREE diagnostic kit that will
check the security of your firewall. VeriSign is also offering new training
for your Internet security. For more info visit:
http://www.secureit.com/verisign/attack_solutions/index.html.
=================================================================
Vulnerability of the Week
=========================
Windows 2000
During installation the admin$ share is created without a password. Users
can connect to the share as "Administrator" without the password. A
workaround is to reboot the system after installation. The admin$ share will
now use the Administrator password.
Reported by: Stephane Aubert
Top 5 Vulnerabilities this Week
===============================
1. Java VM - All builds in the 2000, 3100 and 3200 series.
A vulnerability in Java VM allows it to operate outside the bounds set on
the sandbox. Web sites can read files from the computer of a person who
visited the site. For more information visit
http://www.microsoft.com/technet/security/bulletins/ms00-011.asp
Reported by: Microsoft
2. Microsoft Site Server 3.0 Commerce Edition
An identification number generated by a wizard is not validated before use
in a database query. Remote users can create, modify, delete or read data in
the database. For more information visit
http://www.microsoft.com/technet/security/bulletin/fq00-010.asp
Reported by: Microsoft
3. InterAccess TelnetD Server 4.0 for Windows NT
A buffer overflow exists in the code that handles login commands in the
telnet session. Users can execute arbitrary code on the system.
Reported by: Ussr Labs
4. Microsoft Systems Management Server 2.0
The remote agent folder has permissions set to "Everyone - Full Control" by
default. Local users can gain elevated privileges on the system. For more
information visit
http://www.microsoft.com/technet/security/bulletin/fq00-012.asp
Reported by: Microsoft
5. asmon/ascpu
Asmon and ascpu can execute arbitrary commands as part of a user
configuration file. Local users can execute arbitrary commands on the
system. The fix is to download asmon-0.60.tgz and ascpu-1.8.tgz from
ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/sysutils/
Reported by: FreeBSD
Top 5 News Stories this Week
============================
Hackers hide behind teen vandal facade, inquiry told -
http://www.it.fairfax.com.au/breaking/20000222/A33010-2000Feb22.html
Want to publish your credit card details? That'll do nicely, sir -
http://www.theregister.co.uk/000222-000013.html
ATM Machines Hacked in Moscow -
http://www.technologyevaluation.com/research_notes/10-99/EV_ST_LPT_10_99_1.h
tm
Student Charged in Govt. Hack -
http://www.wired.com/news/technology/0,1282,34539,00.html
Microsoft Says Hackers Hit Its Site -
http://www.wired.com/news/business/0,1367,34540,00.html
@Home Scans Own Customers -
http://www.technologyevaluation.com/news_analysis/02-00/NA_ST_LPT_02_21_00_1
.htm
Top Sites added to SecuritySearch.net this Week
===============================================
Systems Engineering Consultants - ICE, Inc. provides technical and systems
services for security, cryptography, communications and OPSEC/TECSEC.
http://www.inc.com/users/ICE.html
Ardon's Networking and Hardware Site - Networking security, performance and
tutorials. http://www.ardon.ods.org
IDS Intelligent Detection Systems Inc. - IDS develops and manufactures
leading-edge narcotics and explosives trace detection devices - from
hand-held units to drive-through systems. http://www.tracedetection.com
Adaptive Security Programs - Espiria is a provider of adaptive security
solutions. Our services include strategic business planning, information
security consulting services, technical deployment services and program
management services. http://www.espiria.com
Security Policies & Standards: Effective Implementation - Security policies
and baseline standards are useless unless they are widely implemented. But
how do you achieve this and how do you manage this?
http://www.security.kirion.net/securitypolicy/
Data Protection Act - Compliance Made Easy - The Data Protection Act 1998 is
a complex piece of legislation. Achieving compliance can be much easier,
however, using a proven method to manage the task.
http://www.riskserver.co.uk/dataprotection/
Security Risk Analysis, Risk Assessment & Risk Management - Security risk
analysis and risk management are fundamental to your security. COBRA is a
unique security risk analysis and risk assessment product, enabling all
types of organisation to manage risk efficiently and cost effectively.
http://www.pcorp.u-net.com/intro.htm
Compliance Software for BS 7799 - COBRA for BS 7799 is designed to check and
manage compliance against the BS 7799 Security Standard.
http://www.ca-systems.zetnet.co.uk/bs7799/
Questions
=========
If you have any questions or suggestions please contact us at
feed...@securitysearch.net
Subscription
============
To subscribe to this newsletter please send an e-mail to
vulnerabi...@securitysearch.net with the word "subscribe" in the
message body.
To unsubscribe from this newsletter please send an e-mail to
vulnerabi...@securitysearch.net with the word "unsubscribe" in the
message body.
Privacy
=======
We respect your privacy and do not make your e-mail address known to other
parties. For full details of our privacy policy please visit
http://www.securitysearch.net
=======================================================
Copyright Shake Communications Pty Ltd, 2000. All Rights Reserved.