Standard Jet DBnb` Ugr@?~1y0̝cßFNnl7Ӝ.(!`{6߱cC'83y[z"|*|8J3 Y!cessVeS ** Y   Y Y  Y Y  Y  Y  Y   Y u Y o Y n Y z Y 2lY  Y  z Y  pY ConnectDatabaseDateCreateDateUpdate FlagsForeignNameIdLvLvExtraLvModule LvPropName OwnerParentIdRmtInfoLongRmtInfoShortTypeniomNeuCt YYIdParentIdName        OYikY^QOQSQbkQS)Y Y Y  Y 2ACMFInheritableObjectIdSID YObjectId YS7Y  Y Y Y  Y  Y Y  Y AttributeExpressionFlagLvExtra Name1 Name2ObjectId Order Y"ObjectIdAttribute -YcessVeSY Y Y  Y t Y l Y e Y l Y Bccolumn grbiticolumnszColumnszObject$szReferencedColumn$szReferencedObjectszRelationshipB"oVu im lsnn d4lsnoI edYYYszObject$szReferencedObjectszRelationshipYv1b N  : k & W  C t/ @@   @    @@@JLkmiJMmMJmQUdiYQkQbmiYQkJomdQuQMJO`YbOJmJJMMQkkfJUQkOJmJLJkQkSdi`k `dOo^Qk iQ^JmYdbkWYfkiQfdimk kMiYfmk kvkiQ^ mJL^Qk+kh+MMJmQUdiYQk+kh+MJLkmiJMm&+kh+SJLkmiJMm(+kh+SMJmQUdiYQk'+kh+SQbmiYQk)MJmJMJmQUdiYQkQbmiYQk`kvkJMMQkkdL[QMmk$`kvkJMMQkku`^`kvkJMQk`kvkY`QuMd^o`bk `kvkY`QukfQMk!`kvkdL[QMmk`kvkhoQiYQk`kvkiQ^JmYdbkWYfkJMMQkk^Jvdom`kvkOLko``JivYbSdokQiOQSYbQOMJmJMJmQUdiYQkQbmiYQk"MJmJMJmQUdiYQkQbmiYQk"`kvkJMMQkkkmdiJUQkmUiQ^##"`kvkJMMQkkkmdiJUQkmUiQ^#  @ @ @ @         "&'()$  !o  @ @ @ @ @ @ @ @ @ @ @ @ @    $% & ' ( ) * + , - . 8 9 :;<=/01TUVWXYZ[\]^_`abc         ! " # $ %MNO &                     !"###########  @ @ %)'(*&+-.,/1203564 MJmJMJmQUdiYQkQbmiYQk`kvkJMMQkkkmdiJUQkmUiQ^@QbmiYQk`kvkJMMQkkkmdiJUQ @MJmJMJmQUdiYQk`kvkJMMQkkkmdiJUQ*d _ Z g  ~ ) . .ȊȊȊȊ!/yƭA-Wܞ@-Wܞ@MSysAccessStorageSTGREL>uPPPPPPPPPPN :i@:i@CATA categoriesEnt @ @MSysAccessObjects>uDDDDDDDDDDB  @ @MSysAcces#@#@~sq_fEntries>u!@4MR2KeepLocal TF::::::8 `"@"@~sq_fAbstract>u @4MR2KeepLocal TH<<<<<<: `"@"@~sq_fCategories>u@4MR2KeepLocal TL@@@@@@> `@"@@"@~sq_cCategories~sq_cAbstract>u)&4MR2KeepLocal TfZZZZZZX ` @ @MSysAccessObjects>uDDDDDDDDDDB :i@:i@CATA categoriesEntries>uNNNNNNNNNNL  u<<<<<<<<<<:   u@@@@@@@@@@> r;@,;@MSysAccessXML>u4MR2KeepLocal  T|||<<<<<<<: @ pT@tl@Entries>u @<<<0000000. @q6g@N@CATA categories>us@LLL@@@@@@@> @ `g,6g@ܙi@Admin>u@8,,,,,,,,,*  WtW@|?O@autoexec>u22222222220  1wpT@=#E@Entries>u@<<<0000000. @ fҹ͇@fҹ͇@Categories>u66666666664  +͇@+͇@Abstract>u22222222220  @'2oT@@'2oT@UserDefined>u88888888886  `0oT@[@SummaryInfo>u"@DDD88888886 @ ypT@q@AccessLayout>u4MR2KeepLocal TB'%zz:::::::8 @B?oT@B?oT@SysRel>u..........,  >oT@ >oT@Scripts>u0000000000.  u0000000000.  >oT@ >oT@Modules>u0000000000.  u,,,,,,,,,,* Y>O@Y>O@DataAccessPages>u@@@@@@@@@@> @VoT@@VoT@MSysRelationships?wDDDDDDDDDDB @VoT@@VoT@MSysQueries?w88888888886 @VoT@@VoT@MSysACEs?w22222222220 @VoT@@VoT@MSysObjects?w88888888886 @VoT@Yn@MSysDb>u@H:::......., @@VoT@@VoT@Relationships?w<<<<<<<<<<: @VoT@@VoT@Databases?w44444444442 @VoT@@VoT@Tables?w..........,  7f<eG)  Y CATA caCATA caCATA categoriesEntriesCATA categorieCATA categoriesEntriesR@CATA categoriesEntriesR@CATA categoriesEntriCATA categoriesEntrieCATA categoriesEntrieCATA categoriesEntrieCATA categoriesEntriCATA categoriesEntrieCATA categoriesEntriesCATA categoriesEntriesR@I=/    Entries   G    GEntries   G  GCATA categories///   G  G([__Code] = [Select])4 '__Code OEntriesCategories33   G  G Y ^QbobQbMivfN Y Y ,DataIDiYAOIndex+YiQbmQOdb\QvN Y Qi Y bmCodeDescriptionYY.rBPrimaryKeyv1@x)Rv\AS2 q Q 0  ` ? c B  u L  m B EF">1Z+}Y5tHjO1DLaw Enforcement & Forensics (technology, organizations, proposals, litigation, rulings, judgements)k1C5Phishing1C4Anonymity1C3Pseudonymity1C2Identity theft1C1Impersonation1CIdentity, impersonation, spoofing)1B9Non-virus hoaxes, urban myths'1B8Traffic in women, slavery#1B7Hate groups, speech1B6Auctions1B5Gambling1B4Stalking & harassment1B3Pedophilia, kidnapping, Net-adoption fraud41B2Child pornography1B1Adult pornography1BPornography, Net-harm, cyberstalking, gambling, online auctionsH1A6Criminal hacker psychology$1A5Criminal hacker organizations'1A4Criminal hacker publications&1A3Biographical notes on individual criminals (including arrests, trials)P1A2Criminal hacker testimony in court or committees:1A1Criminal hacker conventions and meetings21ACriminal hacker scene (conventions, meetings, testimony, biographies, publications)[19.9Counterfeit products (hardware, clothing etc.): 19.8Plagiarism & cheating! 19.7Counterfeit legal or business documents3 19.6Counterfeit currency, credit-cards, other negotiable tokensG 19.5Games piracy 19.4Books / e-books piracy" 19.3Movies / TV piracy 19.2Music piracy 19.1Software piracy 19Counterfeits, forgery (including commercial software/music piracy)J18.2Loss of equipment 18.1Theft of equipment 18Theft/loss of equipment (laptops, ATMs, computers, cables, network components)V17.3Phreaking, cramming, uncapping, theft of services= 17.2Web vandalism 17.1Penetration 17Penetration, phreaking, cramming, uncapping (entering systems, stealing telephone or other services)l16.6Disinformation, PSYOPS" 16.5Hacktivism 16.4Military & government perspectives on INFOWAR9 16.3Infrastructure protection & homeland security9 16.2Industrial information systems sabotage3 16.1Industrial espionage 16INFOWAR, industrial espionage, hacktivism115.3Slamming 15.2Extortion 15.1Fraud 15Fraud (not embezzlement), extortion, slamming514.5Virus hoaxes 14.4Trojans & rootkits 14.3Virus/worms 14.2Worms 14.1Viruses 14Viruses, virus-hoaxes, Trojans (assembly level or macro: not ActiveX or Java)V13.4Obsolescence 13.3Embezzlement 13.2Data corruption & destruction) 13.1Data diddling 13Data diddling, data corruption, embezzlement412.3Injection 12.2Interception 12.1Wiretapping 12Wiretapping, interception (not jamming; not govt/law enforcement)I11.4Covert channels 11.3Data theft 11.2Unauthorized disclosure# 11.1Data leakage 11Breaches of confidentiality#10HEADING: Computer Crimes (cases, indictments, convictions, sentences)M08About the Editor07Acknowledgements06The INFOSEC UPDATE Course!05Using IYIR04Copyright03Sources of Information02Taxonomy of INFOSEC Issues"01Introduction0UnclassifiedV<\+ Z :  b F  m G z X = ` 3 w( aBqJc; a0kzP![,34.1Net filters 34Net filters, monitoring (technologies).33.4Risk analysis & management& 33.3Authorization, access controls* 33.2Spam, spim, spit & splogs% 33.1Acceptable use policies# 33Policies, risk analysis, risk management032.2Censorship outside the USA& 32.1Censorship in the USA! 32Censorship, indecency laws, 1st amendment (law)731.4Outsourcing 31.3New technology with security implications5 31.2Estimates, guesses, predictions, forecasts concerning securityJ 31.1Surveys, studies, audits of security0 31The state of information security & technology630HEADING: Management & Policy$29.7Outsourcing 29.6Flash crowds, social e-links( 29.5Online legal proceedings$ 29.4Online & electronic voting& 29.3Digital divide 29.2Cyberdating & cybersex" 29.1Addiction, games & violence' 29Sociology of cyberspace28.6RFID tags 28.5Serial numbers 28.4Cell/mobile phones/GPS/cameras* 28.3Keystroke loggers 28.2Scumware 28.1Spyware, Web bugs & cookies' 28Automated surveillance27.7Anti-malware technology# 27.6Honeynets 27.5Honeypots 27.4Firewalls & other perimeter defenses0 27.3Intrusion detection systems' 27.2Port scans 27.1Vulnerability assessment$ 27Security tools26.4Distraction 26.3Heat 26.2Toxic materials 26.1Radiation 26Health effects of electronic equipment (phones, screens, etc.)F25.3RFI, HERF, EMP/T 25.2Jamming 25.1Remote control, RATs, reprogramming, auto-updates= 25Computer remote control & disruption,24.BRobust systems (hw / sw)$ 24.ASecure processors 24.9Peer-to-peer networking# 24.8MAC OS 24.7SWDR (Software-defined radio)) 24.6WAP, WEP, Wi-Fi, Bluetooth, 802.11, WiMax5 24.5LAN OS 24.4TCP/IP & HTTP 24.3UNIX flavors 24.2Windows NT/2K/XP 24.1Windows 9x/Me 24Operating systems, network operating systems,TCP/IP problems (alerts & improvements)\23.9PERL, CGI scripts 23.8SMS 23.7VoIP 23.6Web-site infrastructure, general Web security issues@ 23.5E-mail & instant messaging or chat. 23.4HTML, XML, browsers 23.3ActiveX 23.2Javascript 23.1Java 23Internet tools22.4Accidental availability disruptions/ 22.3DoS countermeasures 22.2DDoS attacks 22.1DoS attacks 22Availability problems21.5Robots, botnets 21.4SCADA (supervisory control and data acquisition) systems, vehicle controlsV 21.3Embedded processors 21.2Security product QA failures( 21.1General QA failures 21Quality assurance failures including design flaws920HEADING: Emerging Vulnerabilities & Defenses41D4Government funding for law enforcement01D3Litigation, legal rulings, judgements affecting law enforcementI1D2Technology for law enforcement(1D1Organizations, cooperation for law enforcement8JxU/lC i H . i 7 * G  Y  q*Q@$_&h2\qV>' 4BIntellectual property: patents, copyrights (law)84A9Net neutrality4A8Liability4A7Spam4A6Libel4A5Archives4A4Blocking4A3Jurisdiction4A2Pointing, linking, deep linking, metatext34A1Framing4AEvolution of Net law: framing, pointing, linking, jurisdiction, neutralityR49.2Non-US government surveillance of citizens6 49.1US government surveillance of citizens2 49Government surveillance, legislation regulating govt surveillance, case-lawS48.3Non-US intellectual property laws- 48.2Non-US computer-crime laws& 48.1Non-US cryptography laws$ 48Foreign cyberlaws (not cases or sentences)247US computer-crime laws46Cryptography exports from US; Key escrow045.9E-shopping carts 45.8E-commerce laws 45.7Sales taxes on Internet commerce, 45.6Smart cards and other e-commerce security measures> 45.5Digital-rights management (DRM); e.g., copy protection, digital watermarksV 45.4E-payments; e.g., credit-cards, e-brokers5 45.3Micropayments 45.2Digital cash 45.1PKI (Digital signatures / certificates)3 45E-commerce security, digital signature, products, digital cash, e-paymentsR44.3Steganography 44.2Crypto products 44.1Crypto algorithms 44Encryption algorithms, products (including steganography)A43.6E-mail authentication (e.g., SPF & SenderID)8 43.5Single sign-on 43.4Kerberos 43.3Passwords 43.2Biometrics 43.1Tokens 43I&A products (tokens, biometrics, passwords, Kerberos)>42.3Crypto product implementation flaws/ 42.2Brute-force attacks 42.1Crypto algorithm weaknesses' 42Crypto algorithms (weakness, brute-force attacks, implementation flaws)O41Cryptanalysis techniques & tools(40HEADING: Defensive Technology, Law of E-commerce, Intellectual PropertyO38.9Medical information & HIPAA' 38.8Law enforcement & privacy rights, 38.7Other case law, legislation & regulation concerning individual privacy (not govt surveillance)j 38.6US case law, legislation & regulation concerning individual privacy (not govt surveillance)g 38.5EU case law, legislation & regulation concerning individual privacy (not govt surveillance)g 38.4International agreements on security, individual privacy, Net lawM 38.3Industry efforts for individual privacy protection> 38.2Trade in personal information) 38.1Consumer / employee / individual profiling & surveillance (non-governmental)X 38Consumer/employee / individual privacy, profiling & surveillance (non-governmental)[37.ABooks 37.9White papers 37.8Web sites 37.7Conferences 37.6Industry courses 37.5Doctoral programs 37.4Master's programs 37.3Undergraduate programs" 37.2High school programs 37.1Elementary & middle school programs/ 37Education in security & ethics&36Responses to intrusion35.3Politics & management of the DNS, 35.2Trademarks vs DNS 35.1Cybersquatting 35DNS conflicts, trademark violations (Net, Web)634.2Usage monitoring, audit trails (employees, children)@ L  nQ~9 t TTEMPORARY PLACEHOLDER4DFunny / miscellaneous4C5Academic/Industry/Vendor/Govt efforts/4C4Professional certification in security, auditing:4C3Certification of site security, privacy protection<4C2Risk management methodology & tools-4C1Paradigms, security standards'4CSecurity paradigms, risk management, site-security certification, professional certificationd4B5Trademarks4B4EULA (End-user license agreements),4B3Reverse engineering4B2Patents4B1Copyrights @ @  @ @@@  @@   @  @ @ @ @ @@ @ @ @@ @ @@  @  @ @   @ @ @   @  @@6686:6<6>6@6B6D6F86 88 888 88: 88< 88>8:8:88::8:<8<8<88<:8<<8<>8>8>88>:8><8>>8>@8@8@88@: 8@<!8B"8B8#8B:$8B<%8B>&8B@'8BB(8D)8D8*8D:+8D<,8F-8F8.8F:/8H08H818H:28H<38H>48H@58HB68HD78HF88HH98J:8J8;8J:<8J<=8J>>8J@?8JB@8LA8L8B8L:C8L<D8L>E8L@F8LBG8LDH8LFI8LHJ8MK8M8L8M:M8M<N8M>O8M@P8OQ8O88O:8O<8O>:6:8:88:8::8<:8> :8@ :: ::8 ::: ::<::>:<:<8:<::<<:<>:<@:<B:<D:<F:<H:>:>8:>::><:>>:>@:>B :>D!:>F":>H#:>J$:>L%:@&:@8':@:(:@<):B*:B8+:B:,:B<-:B>.:D/:D80:D:1:D<2:D>3:D@4:DB5:DD6:F7:F88:F:9:F<::F>;:F@<:FB=:H>:H8?:H:@:H<A:H>B:H@C:HBD:HDE<6F<8G<88H<8:I<8<J<8>K<:L<:8M<::N<<O<<8P<<:Q<<<R<<>S<>T<>8U<>:<@<@8<@:<@< 6>8>:>:8>::>:< ><!><8"><:#><<$><>%><@&><B'>>(>>8)>>:*>><+>@,>@8->@:.>@</>@>0>@@1>@B2>@D3>@F4>@H5>B6>D7>F8>F89>F::>F<;>H<>H8=>H:>>J?>J8@>J:A>J<B>J>C>J@D>JBE>JDF>JFG>JHH>LI>L8>L:>L<>L>>L@>M>M8>M:>M<>M> >M@ >O m  Y5`oN  @.Y Y  Y d Y n Y  Y  Y e Y I Y aIDDate Source Volume NumberAbstractKeyword Select ExtralulddandululluYYYYY,CATA categoriesEntriesDateKeyword NumberPrimaryKey NO  `  0ϝ|>G\[v.,/^G<Ź~~o7ԧ8$ gߗ\~߿߿ABA  A !@  @ @A@ @  @ GLVAL[TIVO GOES MOBILE TiVo has introduced a mobile option for its subscribers called TiVoToGo. The service, which requires the installation of free TiVo Desktop software on the target computer, enables users to transfer programs to their laptops, as long as copyright protections are in place. "Consumers don't want to be tied to their living room to watch their favorite entertainment," says TiVo chiefTIVO GOES MOBILE TiVo has introduced a mobile option for its subscribers called TiVoToGo. The service, which requires the installation of free TiVo Desktop software on the target computer, enables users to transfer programs to their laptops, as long as copyright protections are in place. "Consumers don't want to be tied to their living room to watch their favorite entertainment," says TiVo chief marketing officer Matt Wisk. "With TiVoToGo, subscribers can take their favorite shows with them to enjoy on business trips or family vacations." The TiVo Desktop software is designed for the Windows XP and 2000 operating systems, and avoids content that uses Macrovision copy protection technology, including pay-per-view and video-on-demand programming and commercial DVDs. (CNet News.com 3 Jan 2005)INTERNET EXPLORER FTP DOWNLOAD DIRECTORY TRAVERSAL It has been reported that a vulnerability exists in Internet Explorer, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an input validation error in the handling of FTP file transfers. This can be exploited by a malicious FTP server to create files in arbitrary locations via directory traversal attacks by tricking a user into downloading malicious files (e.g. by dragging or copying a file or folder). The vulnerability does not affect systems running Windows XP with SP2 installed.WHAT'S UP NEXT FOR E-LEARNING? "Colleges, universities and the military will outpace corporations in rolling out innovative and effective learning programs. Computer games will increasingly be viewed as a new type of scalable content that will raise the bar on engagement and enable new types of skills to be taught," predicts author Clark Aldrich, author of "Simulations and the Future of Learning," in a collection of expert prognostications assembled by eLearn Magazine editor Lisa Neal. Among the contributors are Don Norman, co-principle of the Nielsen Norman Group, who forecasts the rise of adult educational tools: "I expect language tutors for adults. Why not combine handheld dictionaries, phrase translators, and CD-ROM courses into a portable device?" And Indiana U. professor Curt Bonk sees a bright future for open-source courseware: "Jumping on the open-source bandwagon may mean supporting innovative pilot projects, funding code enhancements and joining the Sakai community." But as emerging technologies such as blogs, wikis and podcasts draw the attention of major commercial players like Microsoft, Yahoo and Google, look for a new bout of legal wrangling, says Canada's National Research Council's Stephen Downes: "But as grassroots technologies are appropriated for commercial objectives, conflicts over rights and use emerge, and competing standards extensions create genuine difficulties for users. Expect, for example, patent claims and threats of lawsuits over aspects of content syndication technology, lawsuits regarding unauthorized use of RSS feeds& Behind the scenes (and mostly unnoticed), the Web is beginning to fracture. Some time in the next three years the first case of URL-piracy (releasing the address of a resource without authorization) will be heard." (eLearn Magazine Jan 2005)#+ /   _ ? +`@DHS IAIP Daily; http://www.securitytracker.com/alerts/2005/Jan/1012817.html@Novell NetWare CIFS.NLM software denial of service DoS vulnerability update issued24.5g[[[ +`@DHS IAIP Daily; http://www.microsoft.com/technet/security/Bulletin/MS05"001. mspx@Microsoft Windows Security Bulletin HTML Help vulnerability code execution full rights attacker critical rating update issued24.2pddd +`@DHS IAIP Daily; http://www.microsoft.com/technet/Security/bulletin/ms05"002. mspx@Microsoft Windows Security Bulletin cursor icon format handling vulnerability code execution full rights attacker critical rating update issued24.2pddd +`@DHS IAIP Daily; http://www.microsoft.com/technet/security/bulletin/MS05"003. mspx@Microsoft Windows Security Bulletin indexing service format handling vulnerability code execution full rights attacker important rating update issued24.2  pddd +`@DHS IAIP Daily; http://www.securityfocus.com/news/10271b@hacker penetration T-Mobile wireless product manufacturer customer private information disclosure17.1SGGG +`@DHS IAIP Daily; http://rhn.redhat.com/errata/RHSA"2005"030.htmlf@Netscape Directory Server access control stack buffer overflow vulnerability denial of service DoS code execution attack24.3aUUU +`@DHS IAIP Daily; http://sunsolve.sun.com/search/document.do?assetkey=1"26"577 17"1r@Sun Alert user account creation Solaris operating system quality assurance failure24.3vjjj +@@NewsScan; http://www.nytimes.com/2005/01/10/technology/10cellphone.html@credit cards cell phones security e-wallets45.4cWWW +@NewsScan; http://www.reuters.co.uk/newsArticle.jhtml?type=internetNews&storyID=7250030§ion=news&src=rss/uk/internetNews@Apple data leakage confidentiality Thinksecret.com intellectual property lawsuit non-disclosure agreement NDA24.8   +@DHS IAIP Daily; http://secunia.com/advisories/13734/@WinAce GZIP ZIP vulnerability directory traversal attack21.1PDDD +@DHS IAIP Daily; http://www.fcw.com/fcw/articles/2005/0103/web"voip"01"06"05. asp@National Institute of Standards and Technology NIST concern Voice over IP VoIP security vulnerabilities firewalls encryption report23.7xlll +@NewsScan; http://www.washingtonpost.com/wp-dyn/articles/A51966-2005Jan5.html@DMCA Digital Millennium Copyright Act BSA Business Software Alliance ISP Internet service provider law legislation proposal change immunity piracy4B1h\\\ +@NewsScan; http://www.siliconvalley.com/mld/siliconvalley/10561389.htm@piracy movie BitTorrent eDonkey source monitoring surveillance movies intellectual property copyright infringement file-sharing19.3aUUU +`@NewsScan; http://news.com.com/TiVo+goes+mobile+with+new+free+service/2100-1041_3-5510240.html'@TiVo copy protection mobile viewing entertainment intellectual property copyrights legal fees video19.3ymmm +`@DHS IAIP Daily; http://secunia.com/advisories/13704/X@Microsoft Internet Explorer IE vulnerability download directory traversal attack FTP file transfer protocol Windows XP SP2 not vulnerable23.6PDDD + @NewsScan; http://www.elearnmag.org/subpage/sub_page.cfm?article_pk=13262&page_number_nb=1&title=COLUMN&@eLearning prediction URL piracy RSS online courses technology advances games37vvv{LVAL SOFTWARE GROUP WANTS TO CHANGE COPYRIGHT ACT The Business Software Alliance, whose members include Microsoft, IBM, Intel, Adobe, and other high-tech giants, wants Congress to clamp down on Internet service providers who allow their users who swap copyrighted software, music or video files online through services such as Kazaa, Grokster and Morpheus. The group wants Congress to amend the 1998 Digital Millennium Copyright Act but has so far offered no specifics on how that law should be changed -SOFTWARE GROUP WANTS TO CHANGE COPYRIGHT ACT The Business Software Alliance, whose members include Microsoft, IBM, Intel, Adobe, and other high-tech giants, wants Congress to clamp down on Internet service providers who allow their users who swap copyrighted software, music or video files online through services such as Kazaa, Grokster and Morpheus. The group wants Congress to amend the 1998 Digital Millennium Copyright Act but has so far offered no specifics on how that law should be changed -- except to suggest that Internet service providers should no longer enjoy blanket immunity from liability for piracy by users. However, the BSA approach has a number of critics, such as Mike Godwin of the group Public Knowledge, who calls the approach a "terribly bad idea," and Verizon attorney Sarah B. Deutsch, who warns: "The best policy is not to have the service provider become Big Brother. BSA wants its own shortcut, at the expense of consumer privacy and the ISPs." (Washington Post 5 Jan 2005)THE CONTINUING FIGHT AGAINST ONLINE PIRATES A company called BayTSP of Los Gatos, California, has developed a monitoring system to identify the sources of bootleg copies of movies transmitted over file-sharing networks such as eDonkey and BitTorrent. BayTSP chief executive Mark Ishikawa explains, "Pirated copies of movies and software typically appear online within hours of release. Identifying and taking action against the first uploaders can greatly slow the distribution of illegally obtained intellectual property and might make users think twice before doing it." Ishikawa says the technology not only identifies the hard-core pirates who contribute to massive online piracy, but is also able to quantify the number of illegal copies made from the original bootleg (information necessary when a copyrightinfringement lawsuit is subsequently filed).(San Jose Mercury News 4 Jan 2005)LVALA K zLINUX KERNEL MULTIPLE VULNERABILITIES Multiple vulnerabilities have been reported in the Linux kernel, which potentially can be exploited by malicious, local users to cause LINUX KERNEL MULTIPLE VULNERABILITIES Multiple vulnerabilities have been reported in the Linux kernel, which potentially can be exploited by malicious, local users to cause a denial of service, disclose sensitive information, or gain escalated privileges on a vulnerable system. The solution is to grant only trusted users access to affected systems.MPG123 MPEG LAYER-2 BUFFER OVERFLOW VULNERABILITY A vulnerability has been reported in mpg123, which potentially can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the parsing of frame headers for layer-2 streams. This may be exploited to cause a heap-based buffer overflow via a specially crafted MP2 or MP3 file. Successful exploitation may allow execution of arbitrary code with the privileges of the user executing mpg123. There is no solution at this time.TO PROTECT ITS "DNA," APPLE SUES THINKSECRET.COM Apple Computer is suing the Web site thinksecret.com for allegedly distributing Apple trade secrets by leaking details of upcoming products. The suit alleges that Think Secret owner Nick dePlume and other unnamed individuals posted information on thinksecret.com that could only have been obtained by someone who had signed a confidentiality agreement with Apple. A statement from Apple says: "Apple's DNA is innovation, and the protection of our trade secrets is crucial to our success." But dePlume says he's confident that Think Secret's reporting is consistent with the rights and privileges granted by the First Amendment. (Reuters 6 Jan 2005)WINACE GZIP AND ZIP DIRECTORY TRAVERSAL VULNERABILITY. A vulnerability has been reported in WinAce 2.5, which potentially can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an input validation error when extracting files compressed with GZIP (.gz) or ZIP (.zip). This makes it possible to have files extracted to arbitrary locations outside the specified directory using the "../" directory traversal sequence. There is no solution at this time.NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) RAISES CONCERNS ABOUT VOICE OVER INTERNET PROTOCOL (VOIP). Government administrators may not understand the complexity of installing security systems for Internet telephony, a new government study suggests. Officials at the National Institute of Standards and Technology (NIST) released a January 5 report that examines security vulnerabilities in Internet-based telephone systems and raises concerns about an emerging technology that otherwise appears to offer many advantages over traditional telephone networks. Security concerns described in the report suggest that the cost and complexity of installing such systems is greater than people realize. The report's authors say that security measures such as firewalls and encryption used in traditional data networks are incompatible with current Internet-based telephone systems and can cause serious deterioration in the voice quality possible on such systems. To compensate for the current security vulnerabilities of Voice over Internet Protocol (VoIP) technology, NIST officials made several recommendations in the report. Report: http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-f inal.pdfWLVAL^ oSQUID NTLM FAKEAUTH_AUTH HELPER A vulnerability known as a memory leak has been reported in Squid in the NTLM fakeauth_auth helper. A remote user can trigger a segmentation fault. Under high load or when running for a long period of time, the application may run out of memorySQUID NTLM FAKEAUTH_AUTH HELPER A vulnerability known as a memory leak has been reported in Squid in the NTLM fakeauth_auth helper. A remote user can trigger a segmentation fault. Under high load or when running for a long period of time, the application may run out of memory. In addition, a remote user can send a specially crafted NTLM type 3 message to cause a segmentation fault and can cause denial of service conditions. As a solution, apply the following patch: http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.ST ABLE7-fakeauth_auth.patchNETWARE RUNNING CIFS.NLM. A DENIAL OF SERVICE VULNERABILITY WAS REPORTED IN NETWARE WHEN RUNNING CIFS.NLM A remote user can conduct a network port scan against the target system to cause the target system to 'hard lock' if the system is running CIFS.NLM at the time of the scan. This creates a denial of service condition. As a solution, the vendor has issued a CIFS update for NetWare 5.1 and 6.0, described at: http://support.novell.com/cgi-bin/search/searchtid.cgi?/2970 488.htmSTACK BUFFER OVERFLOW IN THE NETSCAPE DIRECTORY SERVER ACCESS CONTROL CODE. A stack buffer overflow was found in the access control code in Netscape Directory Server 6.21 and earlier. A remote attacker who can communicate with the LDAP service could trigger this flaw by creating a carefully crafted attribute change request. A successful exploit would lead to a denial of service (crash) or potentially to remote code execution on the server. Patches in the form of updated libraries that correct this issue are available on request from the Red Hat Security Response Team. Please contact secalert@redhat.comSMC DEFAULT CONFIGURATION GUI CREATES USER ACCOUNTS WITH BLANK PASSWORD INSTEAD OF LOCKED ACCOUNT User accounts created with the Solaris Management Console (SMC) GUI which are configured for password aging (the shadow(4) fields and fields will be set) may allow login without specifying a password. This issue can occur when a user account is created with SMC (default configuration) with aging fields set and no password supplied. The user account (when being created) is not prompted for a password. To work around the described issue, always supply a password while creating user accounts with SMC (locked by default).CELL PHONES COULD DOUBLE AS CREDIT CARDS In Asia, cell phone handset makers are already marketing phones with embedded memory devices (a chip or magnetic strip) that can be swiped against credit or debit card readers in much the same way consumers now use plastic, and trials are underway to bring the technology to the U.S. Details are still being worked on important issues such as security -- consumers may be required to punch in an authorization code each time they charge something -- and in two trials users experienced difficulty in aiming their cell phones at the right angle for the card reader to pick up the data. "People got very upset. Pointing your cell phone at a target is very difficult," says Jorge Fernandes, CEO of cellphone software firm Vivotech. That issue will probably be resolved by switching from infrared to low-level radio signals, but the biggest obstacle is likely to be a dearth of card readers able to interact with the phones. "The phones are exciting, but it's going to be a long time" before a widespread base of U.S. merchants and consumers are equipped to use them, says Visa International VP Sue Gordon-Lathrop. (New York Times 10 Jan 2005)LVAL MS05-001: VULNERABILITY IN HTML HELP COULD ALLOW CODE EXECUTION A vulnerability exists in the HTML Help ActiveX control in Windows that could allow information disclosure or remote code execution on an affected system. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An aMS05-001: VULNERABILITY IN HTML HELP COULD ALLOW CODE EXECUTION A vulnerability exists in the HTML Help ActiveX control in Windows that could allow information disclosure or remote code execution on an affected system. If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system could be less impacted than users who operate with administrative privileges. Microsoft has assigned a risk rating of "Critical" to this issue and recommends that customers install the update immediately.VULNERABILITY IN CURSOR AND ICON FORMAT HANDLING COULD ALLOW REMOTE CODE EXECUTION This update resolves several newly-discovered, privately reported and public vulnerabilities. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, install programs; view, change, or delete data; or create new accounts that have full privileges. Microsoft has assigned a risk rating of "Critical" to these issues and recommends that customers apply the update immediately.VULNERABILITY IN THE INDEXING SERVICE COULD ALLOW REMOTE CODE EXECUTION A remote code execution vulnerability exists in the Indexing Service because of the way that it handles query validation. An attacker could exploit the vulnerability by constructing a malicious query that could potentially allow remote code execution on an affected system. An attacker who successfully exploited this vulnerability could take complete control of an affected system. While remote code execution is possible, an attack would most likely result in a denial of service condition. Microsoft has assigned a risk rating of "Important" to this issue and recommends that system administrators consider applying the security update.HACKER PENETRATES T-MOBILE SYSTEMS. A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year. Twenty-one year-old Nicolas Jacobsen was charged with the intrusions last October, after a Secret Service informant helped investigators link him to sensitive agency documents that were circulating in underground IRC chat rooms. The informant also produced evidence that Jacobsen was behind an offer to provide T-Mobile customers' personal information to identity thieves through an Internet bulletin board, according to court records. Jacobsen could access information on any of the Bellevue, Washington-based company's 16.3 million customers, including many customers' Social Security numbers and dates of birth, according to government filings in the case. He could also obtain voicemail PINs, and the passwords pro