Computer Security Weekly, April 24, 2000
Replying to spam with abusive emails is a bad idea. First, it really only lets the spammer know that they've hit a live address. Second, *you* can be more easily charged for sending the abusive messages than the spammer can for sending unsolicited commercial email. Yet Cisco Systems was recommeding that users do exactly that. They later recanted.
http://www.theregister.co.uk/000404-0000... http://www.theregister.co.uk/000407-0000...
Infowar is starting to become real as groups are using various means to attack sites they don't like. Some recent examples involve a group trying to oppose the development of genetically modified foods, Serbians attacking pretty much everybody, and some Napster fans who don't like Metallica's lawsuit.
http://www.computeruser.com/news/00/04/1... http://www.wired.com/news/business/0%2C1... http://www.currents.net/newstoday/00/04/... http://www.thestandard.net/article/displ...
BUGTRAQ readers have recently been finding a whole lot of ways to deny service to pcANYWHERE programs. Any server that is found can apparently be shut down remotely, sometimes requiring a reboot of the server machine.
The big furor in the past two weeks has been the "Weenies" security loophole in FrontPage 98, and other versions. The long form of the story is too detailed to give here, involving denials, admissions, and countless tests and research. The short form is that a kind of password exists in the product, and using the phrase "Netscape engineers are weenies!" can give you access to materials you shouldn't be able to access. The short fix is, delete the file dvwssr.dll: it's only there for compatibility with a long defunct version of another program.
http://interactive.wsj.com/articles/SB95... http://www.microsoft.com/technet/securit... http://www.microsoft.com/technet/securit... http://www.zdnet.com/zdnn/stories/news/0... http://www.pcworld.com/cgi-bin/pcwtoday?... http://www.ntbugtraq.com/default.asp?pid... http://www.microsoft.com/technet/securit...
Just briefly, while you are creating your emergency NT disk with RDISK (you do this regularly, don't you?), it creates a temporary file with confidential data that is not protected. The chance of someone snagging this file is admittedly slim, but it is a loophole.
http://support.microsoft.com/support/kb/...
Georgi's at it again. This bug is pretty bizarre, in that is involves first using Java (because of a bug in Microsoft's implementation of Java) to reconfigure security settings, and then exploiting the resulting security weakness with JavaScript. As usual, the fix is to disable Active Scripting, but there's a catch this time. Mr. Guninski has *also* found that, separately, the ability to disable Active Scripting can be eliminated if Java and Scripting of Java applets are enabled.
A demonstration is available at http://www.nat.bg/~joro/jsinject.html
The US government is making noises about data security again. One reporter present at the briefing noted that a number of good points were made. However, some proposals that were floated about sharing information would actually jeopardize the existing means such as the BUGTRAQ and NTBUGTRAQ mailing lists. Also, a number of government speakers still don't seem to Get It, speaking as if security were some single programming error, or as if everyone in the world was using
Go To Page: 1 2
Articles in this Topic Discussions in this Topic
Latest Articles