Category: Warnings

The password-protection feature in Microsoft Word – activated by clicking on Tools/Protect Document – can be bypassed, disabled or deleted at will, with the help of a simple programming tool called a hex editor.

Microsoft was informed about the vulnerability in late November by Thorsten Delbrouck, chief information officer of Guardeonic Solutions, which is a subsidiary of German security specialist Infineon Technologies. He explained that one of his company’s hardware suppliers is Dell, which emails its quotes on a form protected-Word document.

Following Delbrouck’s revelations, Microsoft updated its Knowledge Base article 822924, titled ‘Overview of Office features that are intended to enable collaboration and that are not intended to increase security’ to include the following warning to users: “When you are using the ‘Password to Modify’ feature, a malicious user may still be able to gain access to your password.”

Instead of using the protect feature, Thorsten Delbrouck advises companies sending sensitive information to use digital signatures or a different document format altogether, such as Adobe’s PDF, which he has recommended to Dell in Germany.

More info: [url=http://www.silicon.com/hardware/desktops/0,39024645,39117653,00.htm?foo=Word%20hole%20exposed%20with%20no%20fix%20on%20the%20way%2001-07-2004]http://www.silicon.com/hardware/desktops/0,39024645,39117653,00.htm?foo=Word%20hole%20exposed%20with%20no%20fix%20on%20the%20way%2001-07-2004[/url]

There are growing concerns that personal information being used by data processors such as offshore call centres may be abused once it is taken outside the reach of EU law enforcement bodies. And David Naylor, partner at law firm Morrison & Foerster, believes these fears are not without foundation, despite rules which make it illegal.

Naylor said there are laws in place which mean companies generally cannot enter into outsourcing agreements where personal data is transferred outside Europe unless it is to a country which shares the same rigorous levels of data protection or the individuals concerned have consented to the transfer of their data abroad. In addition, the company transferring the data must ensure that the outsourcing service provider meets other key criteria, such as guaranteeing levels of security and employee reliability. However, he warned “there is definitely a significant danger that data could be misused once it is taken outside the EU, even though any data controller thinking they can do so without breaking UK law would probably be entirely wrong”.

With so much data being transferred via so many transactions it is often difficult to spot the legitimate from the illegal. By moving operations offshore and adding a further level of complexity to this equation it is almost inevitable breaches, both deliberate and accidental, will occur. Naylor said: “Data is flowing from country to country at incredible speeds in ever greater volumes and the ability of regulators to control that and to ensure rules are observed and laws are obeyed is far from limitless.”

More info:[url=http://www.silicon.com/software/security/0,39024655,39117625,00.htm]http://www.silicon.com/software/security/0,39024655,39117625,00.htm[/url]

The real issue comes with the Apache Web server. It was discovered that if someone gained access to the main configuration and access-restriction files used with Apache, they could execute arbitrary code i.e. set up a denial of service attack. All users of Apache have been advised to upgrade, at the same time shutting down other holes. It affects all versions prior to 1.3.29.

Last Thursday, 13 NASA websites were defaced using Apache and Linux exploits. A Brazilian hacker group apparently used a PHP script to get to the local level of Linux through Apache and then used a known hole in the Linux kernel to get admin rights. Having got that far they then displayed their knowledge and wisdom of non-IT related matters by incoherently ranting about the Iraq war.

For those wanting to read more, or download the updates, visit: [url=http://www.linuxsecurity.com/advisories/redhat_advisory-3898.html]http://www.linuxsecurity.com/advisories/redhat_advisory-3898.html[/url]

Increasing prevalence of the W32/Sober.C worm prompted Network Associates Inc. on Sunday to raise its risk assessment to medium from low.

Sober.C is most active in Germany, where e-mail security vendor MessageLabs Inc. said 83 percent of samples had originated. MessageLabs consider the risk “low,” while saying that it has intercepted a “significant number of copies” of the worm.

Symantec Corp. rated it as a level 2 threat out of five, or a low threat.

More info: [url=http://www.eweek.com/article2/0,3959,1420196,00.asp?kc=EWRSS03119TX1K0000594]http://www.eweek.com/article2/0,3959,1420196,00.asp?kc=EWRSS03119TX1K0000594[/url]

Secretary of Homeland Security Tom Ridge said the move followed a substantial increase in intelligence reports about possible threats.

Intelligence intercepts suggested that the threat now from al-Qaeda was greater than at any time since the attacks on New York and Washington, he added.

More info: [url=http://news.bbc.co.uk/1/hi/world/americas/3335595.stm]http://news.bbc.co.uk/1/hi/world/americas/3335595.stm[/url]

It has been said that games are the “bleeding edge” of computing. Could the games be changing how we value online property?

Look at iTunes and Walmart selling music throught the Internet.

As they say, I think we are starting to see the winds of change shifting again.