Networking

qDefense has released an advisory concerning CGI's that notes that
they are vulnerable to a remote flat file database manipulation
vulnerability, possibly giving malicious users CGI administrator
status and, thus, read/write/execute privileges.
The problem apparently lies in a failure to validate input. According
to the qDense advisory, numerous CGI's store data, including
passwords, in a flat file database, using special characters as field
and row delimiters. Those which allow multiple users to log on, and

IT managers have been urged to make "crystal clear" what access is
allowed on company systems, in the wake of the trial of a teenage
hacker who posted thousands of credit card details on the InternetNeil
Barrett, technical director at Information Risk Management, who was an
expert witness for the prosecution, said IT managers should be
"crystal clear" on what access is allowed on their systems and what
constitutes unauthorised access.
"The main crux of Gray's defence was that the Web sites had not made

Peer-to-peer networks may be breeding ground for the next generation of nasties

Popular peer-to-peer applications like Napster will quietly nurture the next generation of Internet worms, a computer security consultant says.

Network security continues to grow more complex. Services that once were centralized and available to a relatively small group of internal users are becoming decentralize d and available to a wide audience via the Internet and extranets. For many organizations, the audience now comprises users within the enterprise as well as customers, business partners and prospects beyond traditional network boundaries.

New Zealand security firm Co-Logic has become one of the latest victims of prolific hacking group PoizonBOx.

In order to monitor hacker activity the security assessment firm had set up a "honey pot" server, a poorly protected section of its Web infrastructure that contained no real data and was designed purely to log the activity of crackers.

However after hacking into this site, PoizonBOx was able to break into the firm's genuine systems, IDG reports. The defacement has been recorded by Alldas.de and can be seen here.

Tripwire is a policy driven file system integrity checking tool that allows system administrators to verify the integrity of their data. The product opens/creates temporary files insecurely. For example, insecure temporary files are created when scanning the file system and updating tripwire database. This would allow an attacker to overwrite local file (symlinks attack)

Continuing its support of open-source operating systems, the U.S. Department of Defense granted $1.2 million to a community project aimed at adding advanced security features to FreeBSD, an open-source variant of Unix. NAI Labs, the advanced research group of security-software maker Network Associates, announced the grant Monday. The group administers the funded Community-Based Open-Source Security, or CBOSS, project.

Two of the most popular pieces of security software on the Internet contain a newly discovered flaw that could enable an intruder to send traffic through a firewall or possibly launch a denial-of-service attack.

Brass Knuckles Interviews got together with internet security expert John Bumgarner. They talked about several things including America's vulnerability to cyberwarfare, security holes in Windows ME, and how the average internet user can secure their computer from attack. You can read the interview here.

Prominent network-security experts say they have identified multiple vulnerabilities in a widely used DSL modem that can lead to unauthorized access and monitoring, denial of service, and permanent disabling of the device. The affected modems are distributed to customers by DSL providers, including SBC Communications and Bell South. Alcatel is the world's leading DSL modem maker and claims to have more than 1.6 million units installed worldwide.