Internet Changes Everything

RBN (Russian Business Network)

Europe.view | A walk on the dark side | Economist.com

ACCORDING to VeriSign, one of the world’s largest internet security companies, RBN, an internet company based in Russia’s second city, St Petersburg, is “the baddest of the bad”. In a report seen by The Economist, VeriSign’s investigators unpick an extraordinary story of blatant cybercrime that implies high-level political backing.

In one sense, RBN (Russian Business Network) does not exist. It has
no legal identity; it is not registered as a company; its senior
figures are anonymous, known only by their nicknames. Its web sites are
registered at anonymous addresses with dummy e-mails. It does not
advertise for customers. Those who want to use its services contact it
via internet messaging services and pay with anonymous electronic cash.

But the menace it poses certainly exists. “RBN is a for-hire service
catering to large-scale criminal operations,” says the report. It hosts
cybercriminals, ranging from spammers to phishers, bot-herders and all
manner of other fraudsters and wrongdoers from the venal to the
vicious. Just one big scam, called Rock Phish (where gullible internet
users were tricked into entering personal financial information such as
bank account details) made $150m last year, VeriSign estimates.

Plenty of other internet companies sail close to the wind—hosting unregulated online gambling for example. But according to a VeriSign investigator, “the difference is that RBN is solely criminal”. The pricing depends on the level of complaints. A discreet organisation pays little; one that attracts a lot of unwelcome attention, forcing RBN to take expensive countermeasures, has to pay more.

Despite the attention it is receiving from Western law enforcement agencies, RBN is not on the run. Its users are becoming more sophisticated, moving for example from simple phishing (using fake e-mails) to malware known as “trojans” that sit inside a victim’s computer collecting passwords and other sensitive information and sending them to their criminal masters.

A favourite trick is to by-pass the security settings of a victim's browser by means of an extra piece of content injected into a legitimate website. An unwary user enters his password or account number into what looks like the usual box on his log-in page, and within minutes a programme such as Corpse’s Nuclear Grabber, OrderGun and Haxdoor has passed it to a criminal who can empty his bank account. When VeriSign managed to hack into the RBN computer running the scam, it found accumulated data representing 30,000 such infections. “Every major trojan in the last year links to RBN” says a VeriSign sleuth.

RBN even fights back. In October 2006, the National Bank of Australia took active measures against Rock Phish, both directly and via a national anti-phishing group to which the bank’s security director belonged. RBN-based cybercriminals replied by crashing the bank’s home-page for three days.

What can be done? VeriSign has tracked down the physical location of RBN’s servers. But Western law enforcement officers have so far tried in vain to get their Russian counterparts to pursue the investigation vigorously. “RBN feel they are strongly politically protected. They pay a huge amount of people. They know they are being watched. They cover their tracks,” says VeriSign. The head of RBN goes under the internet alias “Flyman”; his uncle is thought to be a senior St Petersburg politician. Repeated e-mails to RBN’s purported contact addresses asking for comment have gone unanswered.

Companies can simply block access to any site registered at an RBN IP address. But that will not help most victims, such as those who receive infected e-mails. VeriSign says only strong political pressure on Russia will make the criminal justice system there deal with this glaring example of cyber-illegality.

August 31, 2007 at 03:17 PM in Security | Permalink | Top of page | Blog Home

The Conference Board Consumer Internet Barometer Finds More Consumers Are Filing Taxes Online

Consumer Internet Barometer - Economics - The Conference Board

March 15, 2006

Consumer Internet Barometer

More consumers are filing their taxes online and using do-it-yourself tax software, The Conference Board reports today.

Approximately 37 percent of consumers intend to file their 2005 federal taxes online, up from less than 28 percent just two years ago. Some 62 percent of these consumers have been filing online for more than three years, while only 9 percent are first-time filers. "Do-it-yourself" software has become much more popular and will be used by nearly 40 percent of filers. Most filers prefer receiving their refunds by direct deposit. Among consumers who filed online last year, nearly three-quarters chose to receive their refund by direct deposit.

Fewer consumers are looking directly to the IRS website to file their taxes. The IRS does offer a "Free File" option for some taxpayers on its website as part of its E-file program, but fewer than 19 percent of online filers intend to use this service to file their taxes, down from nearly 24 percent in 2004.

The Consumer Internet Barometer is produced by The Conference Board and TNS, the world's largest custom research company, and covers 10,000 households.

"Once consumers file online, they tend to stay online," says Lynn Franco, Director of The Conference Board Consumer Research Center. "The number of people filing their federal taxes online continues to grow with do-it-yourself software paving the way. This year, nearly an equal proportion of consumers will file online using tax software as will file online using a professional service."

The number-one reason cited for not filing online is that the consumer does not do his/her own taxes. In fact, the number of filers not doing their own taxes has risen from less than 30 percent in 2004 to 34 percent today. The second most popular reason for not filing online is that filers don't want their personal information on the Internet. However, the proportion of online consumers citing security concerns as a deterrent has abated over the past two years.

More Filers Are Using 'Do-It-Yourself' Tax Software

Among consumers intending to file their federal taxes online, about 40 percent intend to use a professional service, with women slightly more likely than men to seek assistance. The use of do-it-yourself tax software has made tremendous inroads in a short span of time. In 2004, less than 31 percent of male filers and only 28 percent of females used do-it-yourself tax software. Today, the software will be used by 38 percent of all male filers and 37 percent of females.

Among online tax filers last year, more than 72 percent chose to receive their refund via direct deposit and a mere 16 percent requested a check. Says Franco: "The turnaround time offered by direct deposit clearly makes it the preferred choice of online filers."

Consumers Still Uncomfortable With Online Banking

Nearly 52 percent of online consumers are extremely concerned about security when banking online, but the level has fallen from 62 percent in 2004.

At the other end of the anxiety barometer is the filing of federal taxes online. Only 43 percent of web surfers feel the same degree of apprehension about filing their federal taxes online. But more people are getting comfortable with this process. Just two years ago, 52 percent of online consumers were extremely concerned about filing online.

Women are generally more concerned than men about security when conducting financial transactions online. But the gender gap has narrowed and both sexes are less concerned today than they were in 2004.

"It is not surprising that we still see high levels of wariness about the security of banking and filing taxes online," says David Stark, North America Privacy Officer of TNS.

"Many Americans are alarmed by Internet scams and media reports of data security breaches. The easing up in concern levels is encouraging, however, as it suggests that consumers are not only more familiar with banking and filing taxes online, but also increasingly aware of how to protect themselves on the Web," Stark added.

About This Survey:

The Consumer Internet Barometer is based on a quarterly survey of 10,000 households. A unique sample is surveyed each quarter. Return rates average 70 percent, which ensures highly representative data. Data is weighted as well to reflect the latest U.S. household demographic information. The latest survey was conducted during the first quarter of 2006. For more information, please email f.tortorici@conference-board.org or lynn.franco@conference-board.org.

About TNS

TNS, a market information group, is the world's largest custom research company. TNS operates a global network spanning 70 countries and employs over 13,000 people. We provide market information and measurement, together with insights and analysis, to local and multinational organizations.

In the U.S., TNS combines specialist sector knowledge with expertise in the areas of new product development, market understanding, brand and advertising research and stakeholder management to bring our clients up-to-the minute, internationally consistent information. Additionally, we provide the industry's most trusted consumer access panel. We think differently to help our clients build a competitive advantage, making TNS the sixth sense of business. www.tns-global.com.

For further information contact:
Lynn Franco
at (1) 212 339 0344
lynn.franco@conference-board.org

March 16, 2006 at 12:35 AM in Security | Permalink | TrackBack (39) | Top of page | Blog Home

Lessons to Learn From Citi Data Breach

The blame is being placed firmly on the merchant here, (originally indicated to be OfficeMax, but now unspecified?).  This explanation seems all too simple, but perhaps it is that simple.

In order for this to be the case, the merchant would have to be storing:
a) PIN
b) complete replica of the mag strip data

I still suspect there is more to it, in what is clearly an inside job.

However, if that is all there is to it, then  ....

Relevance to Bankwatch:

• Banks have to be accountable for the data that is shared with private networks, and merchants;  its unacceptable to blame all the links in the chain, because there are so many. 
  
• Customers will (rightly) look to the issuing bank to protect their information
• Technology allows for sufficient data sharing to complete a transaction, without sharing all the customers authentication credentials (e.g. public key encryption). Anything short of that is technological laziness
  

Lessons to Learn From Citi Data Breach

Yet experts say two important points to keep in mind when examining this situation are
1) the breach occurred at a third party, not the bank, and
2) this incident is not about PIN technology itself, but the way the data was stored.

"This issue isn't about the [strength] of PINs—it's about the
merchants and how they store this data," says Bruce Cundiff, an analyst
with Pleasanton, Calif.-based Javelin Strategy & Research.

Jon Gossels, founder of SystemExperts (Sudbury, Mass.), agrees.
"PIN wasn't the problem [in the Citibank case]. Having a card and
typing a PIN is perfectly adequate authentication," he says. "It was
the data that was stolen internally."

March 14, 2006 at 11:51 PM in Security | Permalink | TrackBack (111) | Top of page | Blog Home

Some companies helped the NSA, but which?

Some companies helped the NSA, but which? | CNET News.com

By Declan McCullagh and Anne Broache
Staff Writer, CNET News.com
Published: February 6, 2006, 4:00 AM PST
Tell us what you think about this storyTalkBack E-mail this story to a friendE-mail View this story formatted for printingPrint

This is the first in a two-part series. Part two offers a glimpse at the technical details of how the National Security Agency's electronic surveillance system seems to work.

Even after the recent scrutiny of the National Security Agency's domestic surveillance project approved by President Bush, an intriguing question remains unanswered: Which corporations cooperated with the spy agency?

Some reports have identified executives at "major telecommunications companies" who chose to open their networks to the NSA. Because it may be illegal to divulge customer communications, though, not one has chosen to make its cooperation public.

Under federal law, any person or company who helps someone "intercept any wire, oral, or electronic communication"--unless specifically authorized by law--could face criminal charges. Even if cooperation is found to be legal, however, it could be embarrassing to acknowledge opening up customers' communications to a spy agency.

A survey by CNET News.com has identified 15 large telecommunications and Internet companies that are willing to say that they have not participated in the NSA program, which intercepts e-mail and telephone calls without a judge's approval.

Twelve other companies that were contacted and asked identical questions chose not to reply, in some cases citing "national security" as the reason.

Those results come amid a push on Capitol Hill for more information about the NSA's wiretapping practices. On Monday, Attorney General Alberto Gonzales is expected to testify at a Senate Judiciary Committee hearing, and President Bush and his closest allies have been stepping up their defense of the program in preparation for it.

To be sure, there are a number of possible explanations for the companies' silence. In some cases, a company's media department could have been overworked. Another possibility is the company's lawyers were unavailable or chose not to reply for unknown reasons.

Also, some survey recipients, such as NTT Communications, responded with a general statement expressing compliance "with law enforcement requests as permitted and required by law" rather than addressing the question of NSA surveillance.

A lawsuit that could yield more details about industry cooperation is winding its way through the federal courts. Last week, the Electronic Frontier Foundation, a civil liberties group based in San Francisco, sued AT&T after a report that the company had shared its customer records database--though not its network--with the NSA.

AT&T would not respond when asked whether it participated. An AT&T spokesman, Dave Pacholczyk, said: "We don't comment on matters of national security."

The News.com survey, started Jan. 25, found that wireless providers and cable companies were the most likely to distance themselves from the NSA. Cingular Wireless, Comcast, Cox Communications, Sprint Nextel and T-Mobile said they had not turned over information or opened their networks to the NSA without being required by law.

Companies that are backbone providers, or which operate undersea cables spanning the ocean, were among the least likely to respond. AT&T, Cable & Wireless, Global Crossing, Level 3, NTT Communications, SAVVIS Communications and Verizon Communications chose not to answer the questions posed to them.

The New York Times reported on Dec. 24 that the NSA has gained access to switches that act as gateways at the borders between the United States' communications networks and international networks. But "the identities of the corporations involved could not be determined," the newspaper added.

At the water's edge
Analysts and historians who follow the intelligence community have long said the companies that operate submarine cables--armored sheaths wrapped around bundles of fiber optic lines--surreptitiously provide access to the NSA.

"You go to Global Crossing and say...once your cable comes up for air in New Jersey or on the coast of Virginia, wherever it goes up, we want to put a little splice in, thank you very much, which NSA can do," said Matthew Aid, who recently completed the first volume in a multiple-volume history of the NSA. "The technology of getting access to that stuff is fairly straightforward."

Aid was citing Global Crossing as an example, not singling it out. Global Crossing describes itself as an Internet backbone network that shuttles traffic for about 700 telecommunications carriers, mobile operators and Internet service providers. According to the International Cable Protection Committee, the company has full or partial ownership of several trans-Atlantic and trans-Pacific cables.

Global Crossing spokesman Tom Topalian said "99 percent of wiretapping is done at a local phone company level" instead of at backbone providers. Topalian declined to answer questions about NSA access, and added: "All U.S. carriers have to comply with the CALEA act, and Global Crossing complies with CALEA." (CALEA is a 1994 federal law requiring certain telecommunications providers to make their networks wiretap-friendly for domestic law enforcement, not intelligence agencies.)

Rep. John Conyers, D-Mich., last month sent a letter (click for PDF) to companies including Google, Yahoo, EarthLink, Verizon and T-Mobile asking them if they cooperated with the NSA. News.com asked similar questions, but expanded the number of companies to include backbone and submarine cable providers.

Among the companies that responded, some offered far more detail than others. Les Seagraves, EarthLink's chief privacy officer, said: "We've never even been asked to give information without the benefit of a subpoena or a court order behind it. And our policy is to require a subpoena or court order, basically to require a court of law behind the inquiry."

"We're very interested in protecting our customers' privacy and balancing that with our duties to comply with the law," Seagraves added. "Our way to balance that is to definitely make sure we have a valid legal request before we release any information."

Comcast spokesman Tim Fitzpatrick said the company "will only provide customer information pursuant to a valid court order and only if Comcast's records contain information sufficient to identify the customer account on the (date or dates) listed in the court order."

A representative of Cox Communications, David Grabert, said: "Cox has never received a request for information or a wiretap that was not accompanied by a warrant."

NSA's history of industry deals
Louis Tordella, the longest-serving deputy director of the NSA, acknowledged to overseeing a similar project to intercept telegrams as recently as the 1970s. It relied on the major telegraph companies including Western Union secretly turning over copies of all messages sent to or from the United States.

"All of the big international carriers were involved, but none of 'em ever got a nickel for what they did," Tordella said before his death in 1996, according to a history written by L. Britt Snider, a Senate aide who became the CIA's inspector general.

The telegraph interception operation was called Project Shamrock. It involved a courier making daily trips from the NSA's headquarters in Fort Meade, Md., to New York to retrieve digital copies of the telegrams on magnetic tape.

Like today's eavesdropping system authorized by Bush, Project Shamrock had a "watch list" of people in the U.S. whose conversations would be identified and plucked out of the ether by NSA computers. It was intended to be used for foreign intelligence purposes.
Click for info-graphic

Then-President Richard Nixon, plagued by anti-Vietnam protests and worried about foreign influence, ordered that Project Shamrock's electronic ear be turned inward to eavesdrop on American citizens. In 1969, Nixon met with the heads of the NSA, CIA and FBI and authorized a program to intercept "the communications of U.S. citizens using international facilities," meaning international calls, according to James Bamford's 2001 book titled "Body of Secrets."

Nixon later withdrew the formal authorization, but informally, police and intelligence agencies kept adding names to the watch list. At its peak, 600 American citizens appeared on the list, including singer Joan Baez, pediatrician Benjamin Spock, actress Jane Fonda and the Rev. Martin Luther King Jr.

Details about Project Shamrock became public as part of a Senate investigation of the NSA. Telegraph companies participating in the program initially balked when questioned by Senate investigators. But documents turned over by the NSA "cast doubt on the veracity of the companies' claims that they could find no documentation pertaining to Shamrock," wrote Snider. "After all, this had concerned the highest levels of their corporate management for at least four years."

Another apparent example of NSA and industry cooperation became public in 1995. The Baltimore Sun reported that for decades NSA had rigged the encryption products of Crypto AG, a Swiss firm, so U.S. eavesdroppers could easily break their codes.

The six-part story, based on interviews with former employees and company documents, said Crypto AG sold its compromised security products to some 120 countries, including prime U.S. intelligence targets such as Iran, Iraq, Libya and Yugoslavia. (Crypto AG disputed the allegations.)

"Only a very few top executives"
The extent of the NSA's surveillance project in operation today remains unclear. Attorney General Gonzales has stressed that the program intercepts e-mail and phone conversations only when "one party to the communication is outside the United States."

In his book titled "State of War," New York Times reporter James Risen wrote: "The NSA has extremely close relationships with both the telecommunications and computer industries, according to several government officials. Only a very few top executives in each corporation are aware of such relationships."

Tapping into undersea copper and fiber-optic cables where they make landfall would be one way to create a virtual web of surveillance that can snare Internet packets or voice communications when they traverse U.S. borders. One benefit for the government is that one participant in the conversation is likely to be overseas--permitting Gonzales and the NSA to stress the interception's international nature.
In other news:

* Capitol Hill's fury on China
* Power lunching with wizards, warriors
* RSA coverage: A deeper level of security
* Open source's musical chairs

Another method would be to seek the cooperation of backbone providers with networks entirely within the United States. That could be done with a tap hooked up to the switches at a telephone company or backbone provider, said Phill Shade, a network engineer for WildPackets who is the company's director of international support services. WildPackets sells network analysis software.

"The tap essentially splits off a copy of the traffic--it would literally take a copy of all the traffic as it moves through the wire," Shade said. "Picture a capital letter 'Y' in your head...One copy goes back out the regular wire on the right side of the wire, and the copy you're interested in splitting goes off the left side of the Y to you. These are very common networking devices, used in networks all over the world."

The tap's exact location may matter. Sen. Arlen Specter, a Pennsylvania Republican who is convening Monday's hearing, has asked Gonzales to respond to a series of questions about the legality of the program. One question Specter is posing: If intercepted calls are "routed through switches which were physically located on U.S. soil, would that constitute a violation of law or regulation restricting NSA from conducting surveillance inside the United States?"

Who's helping the NSA?

CNET News.com asked telecommunications and Internet companies about cooperation with the Bush administration's domestic eavesdropping scheme. We asked them: "Have you turned over information or opened up your networks to the NSA without being compelled by law?"
Company Response
Adelphia Communications Declined comment
AOL Time Warner No [1]
AT&T Declined comment
BellSouth Communications No
Cable & Wireless* No response
Cablevision Systems No
CenturyTel No
Charter Communications No [1]
Cingular Wireless No [2]
Citizens Communications No response
Cogent Communications* No [1]
Comcast No
Cox Communications No
EarthLink No
Global Crossing* Inconclusive
Google Declined comment
Level 3* No response
Microsoft No [3]
NTT Communications* Inconclusive [4]
Qwest Communications No [2]
SAVVIS Communications* No response
Sprint Nextel No [2]
T-Mobile USA No [2]
United Online No response
Verizon Communications Inconclusive [5]
XO Communications* No [1]
Yahoo Declined comment

* = Not a company contacted by Rep. John Conyers.
[1] The answer did not explicitly address NSA but said that compliance happens only if required by law.
[2] Provided by a source with knowledge of what this company is telling Conyers. In the case of Sprint Nextel, the source was familiar with Nextel's operations.
[3] As part of an answer to a closely related question for a different survey.
[4] The response was "NTT Communications respects the privacy rights of our customers and complies fully with law enforcement requests as permitted and required by law."
[5] The response was "Verizon complies with applicable laws and does not comment on law enforcement or national security matters."

February 16, 2006 at 08:25 AM in Security | Permalink | TrackBack (20) | Top of page | Blog Home

Yahoo on NSA surveillance: No comment

Yahoo on NSA surveillance: No comment | CNET News.com

By Declan McCullagh
Staff Writer, CNET News.com
Published: February 15, 2006, 1:55 PM PST
Tell us what you think about this storyTalkBack E-mail this story to a friendE-mail View this story formatted for printingPrint

Under cross-examination during a congressional hearing, Yahoo's top lawyer refused on Wednesday to say whether the company opens its records for government surveillance without a court order.

Michael Callahan, Yahoo's senior vice president and general counsel, declined five times to answer that question from Rep. Brad Sherman, a California Democrat who was probing whether the Internet company had cooperated with the National Security Agency's domestic surveillance efforts.

"It wouldn't be appropriate for me to comment," said Callahan, who was testifying under oath. He added that Yahoo would "only turn over information if it's required by law."

But Callahan refused to say whether a demand from the NSA--not backed by a court order--qualifies as required by law.

No law or regulation prohibits Yahoo from answering the question. In a survey published last week by CNET News.com, companies as varied as BellSouth, Comcast, EarthLink and T-Mobile answered in the negative. Rep. John Conyers, a Michigan Democrat, has posed similar questions to those companies, and AT&T has been sued for allegedly turning information over to the NSA in violation of privacy laws.

Sherman, who represents the San Fernando Valley near Los Angeles, is a Harvard Law graduate who was known as a stickler for detail while a lawyer in private practice. He's been critical of the NSA surveillance program, and said last week that President Bush's recent claims about terrorists planning to attack a Los Angeles skyscraper were a political stunt.
Click here to Play

Video: Can the NSA look at your e-mail?
During a House hearing on Wednesday, Rep. Brad Sherman, D-Calif., asks Yahoo general counsel Michael Callahan if the NSA can access the e-mail of private American citizens.

Below is a transcript, edited for clarity, of Wednesday's exchange that took place during a House of Representatives hearing about China and the Internet.

Rep. Brad Sherman: Let's say you get a call from the NSA saying they want you to give them a copy of all my e-mails. Can I rely on your privacy policy that you're not going to give those e-mails to the NSA unless you get a court order?

Yahoo General Counsel Michael Callahan: We would only disclose information in compliance with law and our privacy policy.

Sherman: Does that include a court order or letter from the NSA?

Callahan: I wouldn't be able to comment.

Sherman: The attorney general says the executive branch, without any OK from either of the other two branches, has the right to read everything you have in your files about me. You might very well agree?

Callahan: It wouldn't be appropriate for me to comment.

Sherman: How can I be a Yahoo user?... If you tell me you'll decide later if a sheriff in some obscure county (that I've never visited can obtain access to my files based on a simple request?)

Callahan: We only turn over information if it's required by law.

Sherman: An investigation from some county that I've never been to?

Callahan: If we were served with proper legal process, we would have to give it.

Sherman: Sir, you're assuming the answer to the question and pretending that's an answer. I'm asking you, as the chief lawyer from Yahoo, is e-mail from some sheriff...is that a requirement that you would adhere to or would you fight it in court?

Callahan: That is not something we would provide.

Sherman: How about if it came from the NSA?

Callahan: (I can't comment on that.)

February 16, 2006 at 08:23 AM in Security | Permalink | TrackBack (55) | Top of page | Blog Home

VeriSign Introduces VeriSign® Identity Protection (VIP) To Protect Consumer Online Identities

VeriSign Introduces VeriSign® Identity Protection To Protect Consumer Online Identities from VeriSign, Inc.

PayPal, eBay and Yahoo! To Join Shared Authentication Network As Strategic Anchor Tenants; Motorola and SanDisk To Lend Technology Support

MOUNTAIN VIEW, CA., February 13, 2006 – VeriSign, Inc., (NASDAQ: VRSN), the leading provider of intelligent infrastructure services for Internet and telecommunications networks, today announced the launch of VeriSign® Identity Protection (VIP), a comprehensive solution that will help provide identity protection for consumers who conduct business online. VIP is supported by several leading online companies, including PayPal, eBay and Yahoo!. In addition, technology partner SanDisk has announced plans to support VIP by manufacturing and distributing OATH compliant USB mass-storage and trusted flash devices, while Motorola plans to lend its support in enabling this technology on consumer mobile devices.

A recent report by the Federal Trade Commission found that 37 percent of all Internet Fraud complaints filed dealt with identity theft. Additionally, Gartner research vice president Avivah Litan noted in her report “Credit Report and Internet Data Theft Results in More Fraud in 2005” that of those surveyed, financial losses resulting from information stolen of the Internet was $2.7 Billion.

VIP is a modern approach to combating digital identity theft targeted for both consumers and online services that demand better identity protection without sacrificing the convenience of everyday Web lifestyles. VIP will allow consumers to use a single security device to authenticate themselves across any future VIP-enabled Web site of network members, such as PayPal, eBay or Yahoo!. VIP will make it simpler and more cost-effective for online companies such as financial institutions, ISPs or e-commerce sites to implement stronger authentication by leveraging a shared infrastructure and enabling everyday devices to become authentication devices.

VIP will take a layered approach to Identity Protection by providing a comprehensive set of services enhanced by network intelligence. It will include the following components:

o Shared Authentication Network: Operated by VeriSign, the VIP Network will allow online service providers and enterprises to accept the same VIP authentication credentials as other participating members of the network. The VIP Network will enable consumers to utilize a single, OATH-compliant strong authentication credential, no matter the form, across any of the VIP-enabled Web sites of network members.
o Multi-factor Authentication: The VIP Authentication Service is a flexible, easy-to-deploy two-factor authentication solution that will facilitate the management of devices distributed to end-users. It will be based on open standards defined by OATH, an industry-wide working group for authentication. These open standards will allow VIP authentication to deliver an unprecedented array of credential choices for consumers.
o Fraud Detection: Using advanced anomaly detection technology, the service will monitor and detect fraudulent login and transactional fraud in real-time to enable risk-based authentication. To catch known and unknown fraud, the service will combine both a policy and a self-learning anomaly detection engine. This non-intrusive approach will not require any change to a Web site and will remain invisible to the consumer until a fraud is detected.
o Fraud Intelligence Network: The fraud intelligence network, which VeriSign intends to make available in the summer of 2006, will allow the sharing of critical fraud data and signatures across VIP-enabled Web sites of network members. The VIP Fraud Intelligence Network will leverage VeriSign’s unique visibility gleaned from the operation of core Internet technologies.

VeriSign intends to add additional services in the summer of 2006 including the VeriSign VIP portal, which will allow consumers to obtain, for VIP-enabled authentication devices, first-level support directly from VeriSign.

In addition to VeriSign, PayPal has agreed to become the first device issuers for the VIP network. Yahoo! plans to join the VIP network as founding members and anchor tenants, enabling the use of VIP devices on any of their VIP-enabled Web sites. In order to deliver strong authentication devices across a large user base, VeriSign has also signed key technology partnerships that will embed one-time password algorithms into common, everyday devices. SanDisk intends to embed OATH-compliant One Time Passwords (OTP) into their mass-storage and trusted flash devices, while Motorola is endorsing VIP’s unique shared network authentication approach to protecting online identities and its proliferation to consumers.

“With the increase in both the frequency and sophistication of malicious online activities such as phishing and identity theft, a fresh approach is needed to protect consumers as they conduct business online,” said Judy Lin, executive vice president and general manager, VeriSign Security Services. “VeriSign Identity Protection will provide a new means to protect consumer identities, combining multi-factor authentication, a shared network of information and intelligence and actionable fraud monitoring. With our partners, the VIP service will provide end-users with easy-to-purchase and easy-to-deploy multi-factor authentication.”

VIP will be available directly from VeriSign, or through any of the service providers participating in the VIP Network. Elements of VIP, including strong authentication and shared authentication network capabilities are available today, with additional capabilities being added this summer. For more information, please go to: http://www.verisign.com/dm/vip

SUPPORT QUOTES FOR VIP

eBay/PayPal
“Online security is central to everything we do at eBay and PayPal, so we are pleased to be working with VeriSign as one of the first members of the VIP Network”
– Rob Chesnut, Senior Vice President of Trust and Safety, eBay and PayPal.

Yahoo!
“Yahoo! has always been focused on providing consumers with the safest Internet experience possible. We continuously look for ways to meet our users’ evolving needs and are proud to participate in the VIP Network. We look forward to delivering added security for our customers through this innovative industry standard solution.”
-- Ash Patel, Chief Product Officer, Yahoo!

Motorola
“As mobile data experiences increase in richness and complexity, so does the need to protect them. No one wants to suffer the consequences of identity theft, so security is critical to gaining consumer acceptance of new mobile data services. VeriSign and Motorola share a vision for mobile security, and we look forward to supporting VIP and working together to bring consumers stronger protection for their online identities in the mobile world.”
-- Christy Wyatt, Vice President, Ecosystem and Market Development, Motorola.

SanDisk
“The addition of strong authentication services from VeriSign will greatly augment the extensive storage capabilities of our SanDisk devices and provide a level of ‘out of the box’ consumer online identity protection. Through our partnership with VeriSign, our flash devices will contain a capability previously unavailable – at no additional cost to consumers.”
-- Carlos Gonzalez, Senior Director of Consumer Marketing, SanDisk Corporation

About VeriSign
VeriSign, Inc. (Nasdaq: VRSN), operates intelligent infrastructure services that enable and protect billions of interactions every day across the world’s voice and data networks. Additional news and information about the company is available at www.verisign.com

For more information, contact:
VeriSign Media Relations: Brendan P. Lewis, brlewis@verisign.com, 650-426-4470
VeriSign Investor Relations: Tom McCallum, tmccallum@verisign.com, 650-426-3744

Statements in this announcement other than historical data and information constitute forward-looking statements within the meaning of Section 27A of the Securities Act of 1933 and Section 21E of the Securities Exchange Act of 1934. These statements involve risks and uncertainties that could cause VeriSign's actual results to differ materially from those stated or implied by such forward-looking statements. The potential risks and uncertainties include, among others, the uncertainty of future revenue and profitability and potential fluctuations in quarterly operating results due to such factors as the risk that VeriSign's announced strategic relationships, including the relationships with PayPal, eBay, Yahoo!, SanDisk and Motorola, may not result in additional products, services, customers, profits or revenues; and increased competition and pricing pressures. More information about potential factors that could affect the company's business and financial results is included in VeriSign's filings with the Securities and Exchange Commission, including in the company's Annual Report on Form 10-K for the year ended December 31, 2004 and quarterly reports on Form 10-Q. VeriSign undertakes no obligation to update any of the forward-looking statements after the date of this press release.

February 14, 2006 at 12:59 PM in Security | Permalink | TrackBack (9) | Top of page | Blog Home

U.S. Concludes 'Cyber Storm' Mock Attacks

U.S. Concludes 'Cyber Storm' Mock Attacks - Yahoo! News

By TED BRIDIS, Associated Press Writer Fri Feb 10, 4:42 PM ET

WASHINGTON - The government concluded its "Cyber Storm" wargame Friday, its biggest-ever exercise to test how it would respond to devastating attacks over the Internet from anti-globalization activists, underground hackers and bloggers.

Bloggers?

Participants confirmed parts of the worldwide simulation challenged government officials and industry executives to respond to deliberate misinformation campaigns and activist calls by Internet bloggers, online diarists whose "Web logs" include political rantings and musings about current events.

The Internet survived, even against fictional abuses against the world's computers on a scale typical for Fox's popular "24" television series. Experts depicted hackers who shut down electricity in 10 states, failures in vital systems for online banking and retail sales, infected discs mistakenly distributed by commercial software companies and critical flaws discovered in core Internet technology.

Some mock attacks were aimed at causing a "significant cyber disruption" that could seriously damage energy, transportation and health care industries and undermine public confidence, said George Foresman, an undersecretary at the
Homeland Security Department.

There was no impact on the real Internet during the weeklong exercise. Government officials from the United States, Canada, Australia and England and executives from Microsoft, Cisco, Verisign and others said they were careful to simulate attacks only using isolated computers, working from basement offices at the Secret Services headquarters in downtown Washington.

The Homeland Security Department promised a full report on results from the exercise by summer.

Foresman likened his agency's role during any Internet attack to an orchestra conductor, coordinating responses from law enforcement, intelligence agencies, the military and private firms. The government's goal is a "symphony of preparedness," Foresman said.

Homeland Security coordinated the exercise. More than 115 government agencies, companies and organizations participated. They included the White House National Security Council, Justice Department, Defense Department, State Department, National Security Agency and
CIA, which conducted its own cybersecurity exercise called "Silent Horizon" last May.

An earlier cyberterrorism exercise called "Livewire" for Homeland Security and other federal agencies concluded there were serious questions over government's role during a cyberattack depending on who was identified as the culprit — terrorists, a foreign government or bored teenagers.

It also questioned whether the U.S. government would be able to detect the early stages of such an attack without significant help from private technology companies.

___

On the Net:

Department of Homeland Security: http://www.dhs.gov

February 11, 2006 at 12:09 PM in Security | Permalink | TrackBack (2) | Top of page | Blog Home

PassMark Security appoints Kim MacPherson VP of engineering

Finextra: PassMark Security appoints Kim MacPherson VP of engineering

PassMark Security, the leading developer of authentication solutions for consumer ecommerce, announced the expansion of its world-class engineering management team with the addition of Kim MacPherson as vice president of engineering.

For the past five years, MacPherson was vice president of engineering at Securify, where she built network security platforms deployed in ultra-high-security environments in the federal government's military and espionage agencies. Previously, she built secure financial services applications at Intuit, including electronic tax filing systems.

MacPherson joins a product development executive team with extraordinary experience and depth:

Louie Gasparini, CTO, was SVP Internet Transaction Systems at Wells Fargo for many years, where he helped build Wells' pioneering online banking platform.

Charley Chell, director of engineering, managed development teams at CyberSource, a leading payment processing and fraud screening provider for Internet merchants.

William Wright, PhD, chief scientist, was lead architect of both the world's leading back-end credit card fraud detection system (HNC's Falcon system) and a leading front-end credit card fraud detection system (CyberSource's AFS system).

PassMark's system is the preeminent consumer-based online authentication solution in the market today. In its year-end cover story, BusinessWeek named it one of the "25 Best Products of 2005." Installed at major financial institutions such as Bank of America, it is currently deployed to more than 10 million users today, and will roll out to more than 20 million users by the end of the first quarter.

"PassMark pioneered the category of tokenless two-factor authentication," said Louie Gasparini. "With the FFIEC's recent endorsement of two-factor for all U.S. banks, we're gearing up to manage rapidly rising demand based on the market's acceptance of our innovative approach. Experience counts when you're building and installing high-scale, mission-critical systems. Kim has exactly that experience."

January 6, 2006 at 12:49 AM in Security | Permalink | TrackBack (6) | Top of page | Blog Home

Bank of America extends SiteKey security to Northeast states

Finextra: Bank of America extends SiteKey security to Northeast states

An Online Banking security feature that helps prevent fraud and identity theft expanded to the Northeast in December, Bank of America announced today.

The free service, called SiteKey, provides an extra level of authentication to enhance security. Customers pick one of thousands of images, write a brief phrase and select three challenge questions. The customer and the bank pass that information securely back and forth to confirm each other's identity.

Using SiteKey is like getting a safe deposit box that takes two keys to open. Before the customer and the bank agree to open the box together, they confirm each other's identity. Industry experts have recognized the bank as the first major financial services company to provide this added level of security.

Bank of America has the most online banking customers in the world, with 14.6 million subscribers and 7.2 million online bill payers. Bank of America customers make up more than 34 percent of all online bankers and more than 58 percent of online banking bill payers in the United States.

The most recent states to receive SiteKey were Connecticut, Massachusetts, Maine, New Hampshire, New Jersey, New York, Pennsylvania and Rhode Island. SiteKey is now available throughout the country, except in Washington and Idaho, where it will launch later this year. The free service is moving from an optional to a standard part of sign-in. Customers will be told about the change through onscreen messages in advance.

"We're the first major bank to offer this extra level of protection and we're making it a standard part of signing-in to help protect all of our Online Banking customers from fraud and identity theft," said Sanjay Gupta, e-Commerce executive. "Signing up for SiteKey only takes a few minutes, and it's easy to use because you don't need extra hardware or other equipment."

Also in December, the bank took an additional security step to help customers identify fraudulent Web sites by posting the Bank of America Toolbar, powered by EarthLink, on the home page for free. The toolbar provides an icon that changes colors as the consumer surfs the Internet, letting the person know with a red, yellow or green symbol whether they've landed on what could be a dangerous Web site. It also alerts consumers before they go to a Web page that is on a list of known phisher sites. The toolbar also includes a pop-up blocker tool, which prevents advertising windows from appearing in the consumer's main browser window.

SiteKey and the Bank of America Toolbar are part of an umbrella of security measures that includes a zero liability guarantee that protects customers from fraud losses, two-tiered authentication for funds transfers, and the capability for customers to stop receiving paper statements to reduce risks associated with sending sensitive information through the mail.

Bank of America also has enhanced the privacy and security sections of its Web site to include more tips about online and offline security.

January 5, 2006 at 10:40 PM in Security | Permalink | TrackBack (6) | Top of page | Blog Home

Cyber Security Bulletin 2005 Summary

US-CERT Cyber Security Bulletin SB2005 -- Cyber Security Bulletin 2005 Summary

Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, so the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.

This bulletin provides a year-end summary of software vulnerabilities that were identified between January 2005 and December 2005. The information is presented only as a index with links to the US-CERT Cyber Security Bulletin the information was published in. There were 5198 reported vulnerabilities: 812 Windows operating system vulnerabilities; 2328 Unix/Linux operating vulnerabilities; and 2058 Multiple operating system vulnerabilities.

Vulnerabilities

* Windows Operating System
* Unix/ Linux Operating System
* Multiple Operating System

#
Windows Operating Systems

* 1Two Livre d'Or Input Validation Errors Permit Cross-Site Scripting
* 3Com 3CDaemon Multiple Remote Vulnerabilities
* 3Com 3CDaemon Multiple Remote Vulnerabilities (Updated)
* 3Com 3CDaemon Multiple Remote Vulnerabilities (Updated)
* 3Com 3CServer FTP Command Buffer Overflows
* 3Com Network Supervisor File Disclosure
* 7-Zip Arbitrary Code Execution
* Aaron Outpost ASP Inline Corporate Calendar Permits Remote SQL Injection
* Absolute Image Gallery XE Cross-Site Scripting
* Absolute Shopping Package Solutions Shopping Cart Cross-Site Scripting
* Access Remote PC Password Disclosure
* Acidcat CMS SQL Injection Vulnerability
* ACNews Information Disclosure
* Acoo Browser Javascript Spoofing
* Acrobat Reader Invalid-ID-Handle-Error Remote Code Execution Vulnerability
* Active News Manager Username and Password SQL Injection
* ActiveBuyandSell SQL Injection and Cross-Site Scripting
* ActiveWeb Active Auction House SQL Injection and Cross-Site Scripting Vulnerability
* Acuity CMS Cross-Site Scripting
* Acute Website Incorporated PeerFTP_5 FTP Password Disclosure
* Adaptive Hosting Solutions ProductCart Cross-Site Scripting and SQL Injection Vulnerabilities
* Adobe Acrobat and Reader File Discovery
* Adobe Acrobat and Reader File Discovery (Updated)
* Adobe Acrobat Reader Invalid-ID-Handle-Error Remote Code Execution (Updated)
* Adobe License Management Service Elevated Privilege Vulnerability
* Adobe SVG Viewer Lets Remote Users Determine if Files Exist
* Advanced Browser Javascript Spoofing
* Advanced Communications Hosting Controller Lets Remote Users Create User and Host Accounts
* Adventia Chat Cross-Site Scripting Vulnerabilities
* aeNovo Information Disclosure
* aeNovo SQL Injection or Cross-Site Scripting
* A-FAQ SQL Injection
* AhnLab V3 Antivirus Arbitrary Code Execution
* AhnLab V3 DeviceIoControl Multiple Vulnerabilities
* Allinta Cross-Site Scripting
* Altiris Deployment Solution AClient Security Bypass
* Alt-N MDaemon and WorldClient Denial of Service
* Alt-N MDaemon Directory Traversal and Arbitrary File Writing
* Alt-N Technologies MDaemon Denial of Service
* Alt-N WebAdmin Multiple Remote Vulnerabilities
* ALWIL avast! antivirus May Fail to Detect Certain Viruses
* ALWIL Software Avast! Antivirus Aavmker4 Device Driver Elevated Privileges
* ALZip Arbitrary Code Execution
* ALZip Unauthorized System Control
* AM Browser Javascript Spoofing
* AMAX Information Technologies, Inc. Magic Winmail Server Input Validation
* Amp II 3D Game Engine Remote Denial of Service
* AN HTTP Server 'cmdIS.DLL' Buffer Overflow Arbitrary Code Execution and Cross-Site Scripting Vulnerability
* AOL Instant Messenger Buddy Icon Remote Denial of Service (Updated)
* AOL Instant Messenger Smiley Icon Location Remote Denial Of Service Vulnerability
* APG Technology ClassMaster Folder Access Vulnerability
* Apple Darwin Streaming Server Denial of Service
* Apple iTunes Arbitrary Code Execution
* Apple QuickTime for Windows Denial of Service Vulnerability
* Apple 'quicktime.qts' Error in Parsing 'qtif' Images Remote Denial of Service
* Ares Arbitrary Code Execution
* ArGoSoft FTP Server 'DELE' Command Remote Buffer Overflow
* ArGoSoft FTP Server 'DELE' Command Remote Buffer Overflow (Updated)
* ArGoSoft FTP Server Discloses Username Status to Remote Users
* ArGoSoft FTP Server 'SITE COPY' Shortcut File
* Argosoft Mail Server Cross-Site Scripting and Script Insertion Vulnerabilities
* ArGoSoft Mail Server Directory Traversals
* ASP Fast Forum Cross Site Scripting
* ASP Knowledgebase SQL Injection Vulnerability
* ASP Nuke SQL Injection and Cross Site Scripting
* Asp Press ACS Blog Access Vulnerability
* ASP Resources Forum SQL Injection
* ASPBB Information Disclosure
* aspclick.it ACNews Administrative Access Vulnerability
* ASP-DEV XM Forum Cross Site Scripting
* ASP-DEv XM Forum Cross-Site Scripting Vulnerability
* ASPJar Guestbook Input Validation
* ASPjar Guestbook SQL Injection
* ASPMForum SQL Injection
* ASPNuke Cross Site Scripting
* ASPPlayground .NET Arbitrary Upload
* asppress ACS Blog Cross-Site Scripting Vulnerability
* aspReady FAQ Manager SQL Injection
* ASP-Rider SQL Injection
* Asus VideoSecurity Online Directory Traversal or Information Disclosure
* atrium software Mercur Messaging Multiple Vulnerabilities
* Avant Browser Dialog Box Origin Spoofing
* Avast! antivirus Arbitrary Code Execution
* Avaya CMS FTP Daemon Wildcard Denial of Service
* AVIRA Antivirus Arbitrary Code Execution
* BakBone NetVault Buffer Overflows Permit Remote Code Execution
* Befriendly.com Einstein Password Disclosure
* BFCommand & Control Server Managers Multiple Vulnerabilities
* BisonFTP Server Denial of Service
* BitDefender Anti-Virus Arbitrary Code Execution or Privilege Elevation
* Bjornar Henden 'Yet Another Forum.net' Input Validation Errors Permits Cross-Site Scripting
* BK Forum SQL Injection Vulnerability
* Black Cactus Warrior Kings Denial of Service and Format String Vulnerabilities
* BlueCollar Productions i-Gallery Cross-Site Scripting & Directory Traversal
* BlueWhaleCRM SQL Injection
* Bontago Game Server Nickname Remote Buffer Overflow
* Brat Designs Breed Remote Denial of Service
* BrightStor ARCserve Backup Arbitrary Code Execution or Denial of Service
* BrightStor ARCserve Backup Discovery Service Buffer Overflow
* bttlxeForum Discloses Installation Path to Remote Users
* Bugtracker.NET Unspecified SQL Injection Vulnerabilities
* BulletProof FTP Server Privilege Escalation
* Bungie Studios Halo: Combat Evolved Denial of Service Vulnerability
* Captaris Infinite Mobile Delivery Input Validation
* Capturix ScanShare Password Disclosure
* CartWIZ Cross Site Scripting
* CartWIZ Cross Site Scripting or SQL Injection
* Centra Profile Script Insertion Vulnerability
* Centrinity FirstClass Bookmark Input File Execution Vulnerability
* Cerberus FTP Server Denial of Service
* Cerulean Studios Trillian Insecure Image Data Remote Buffer Overflow
* Cerulean Studios Trillian Remote Code Execution Vulnerability
* Cerulean Studios Trillian User Information Disclosure
* CF_Nuke Cross-Site Scripting or Information Disclosure
* Chris Moneymaker's World Poker Championship Arbitrary Code Execution
* CIS WebServer Remote Directory Traversal
* Cisco Security Agent Elevated Privileges
* CiscoWorks Information Spoofing or Disclosure
* Citrix MetaFrame Conferencing Manager Access Control Vulnerability
* Citrix MetaFrame Secure Access Manager and NFuse Elite Cross-Site Scripting
* Citrix MetaFrame Security Restriction Bypassing
* Citrix Program Neighborhood Agent Two Vulnerabilities
* Citrix Program Neighborhood Client Information Disclosure
* ClearSwift MIMEsweeper Arbitrary Code Injection
* Clever's Games Terminator 3: War of the Machines Remote Buffer Overflow & Denial of Service
* Code Ocean Ocean FTP Server Multiple Connections Denial of Service
* Comersus BackOffice Multiple Vulnerabilities
* Comersus BackOffice Plus Cross-Site Scripting
* Comersus Cart Cross Site Scripting or SQL Injection
* Comersus Cart Multiple Vulnerabilities
* Comersus Cross-Site Scripting Vulnerability
* Comersus Cross-Site Scripting Vulnerability
* Community Server Cross Site Scripting
* Community Server Forums Cross Site Scripting
* Computalynx CProxy Directory Traversal & Remote Denial of Service
* Computer Associates eTrust Antivirus Integer Overflow in Processing Microsoft OLE Data Lets Remote Users Execute Arbitrary Code
* Computer Associates eTrust Intrusion Detection Denial of Service Vulnerability
* Computer Associates Unicenter Asset Management Multiple Vulnerabilities
* Computer Knacks, Inc. SendLink Password Disclosure
* Compuware DriverStudio Privilege Elevation or Arbitrary Code Execution
* Compuware Softice 'DbgMsg.sys' Remote Denial of Service
* CoolCafe 'login.asp' SQL Injection & Information Disclosure
* Cosminexus Collaboration and Groupmax Collaboration Cross-Site Scripting or Denial of Service
* Crazy Browser Javascript Spoofing
* Crob FTP Server Buffer Overflow Vulnerabilities
* Crystal FTP Pro Buffer Overflow (Updated)
* Crystal Reports/ Business Objects Enterprise Server Denial of Service
* CSystems WebArchiveX Arbitrary File Access
* Cybration ICUII Password Disclosure
* DameWare Arbitrary Code Execution
* DameWare Mini Remote Control Privilege Escalation Vulnerability
* DameWare Password Disclosure Vulnerability
* Darrel O'Neil ASP Virtual News Remote SQL Injection Vulnerability
* Dead Pirate Software SimpleCam Directory Traversal Flaw
* DelphiTurk CodeBank (KodBank) Elevated Privileges
* DelphiTurk CodeBank Password Disclosure
* DelphiTurk FTP Information Disclosure
* DG Remote Control Server Denial of Service
* Digger Solutions Intranet Open Source SQL Injection
* DivX Player Skin File Directory Traversal
* DotNetNuke Script Insertion Vulnerabilities
* Doug Luxem Liberum Help Desk "id" SQL Injection Vulnerability
* DVBBS Cross Site Scripting
* DzSoft PHP Editor Denial of Service
* Early Impact ProductCart Input Validation Flaws in Lets Remote Users Inject SQL Commands
* Ecomm Professional Guestbook "AdminPWD" SQL Injection
* Ecomm Professional Shopping Cart SQL Injection Vulnerability
* ECW-Cart Cross-Site Scripting
* Elemental Software CartWIZ SQL Injection and Cross-Site Scripting Vulnerability
* EnCase Device Configuration Overlay Data Acquisition Vulnerability
* enVivo!soft enVivo!CMS SQL Injection and Privilege Escalation
* ePolicy Information Disclosure and Privilege Elevation
* E-POST SPA-PRO Mail @Solomon IMAP Directory Traversal and Buffer Overflow
* e-Quick Cart Multiple Vulnerabilities
* Eset NOD32 Arbitrary Code Execution
* Eternal Lines Web Server Remote Denial of Service
* Eternal Lines Web Server Remote Denial of Service (Updated)
* Eudora WorldMail Server Information Disclosure
* Eurofull E-Commerce 'mensresp.asp' Cross-Site Scripting
* exdwc NewsletterEz Input Validation Vulnerability Lets Remote Users Inject SQL Commands
* eXeem Password Disclosure
* ExoticSoft FilePocket Password Disclosure
* exploitlabs WebcamXP User Redirection and Denial of Service Vulnerability
* Fast Browser Pro Javascript Spoofing
* Fastream NETFile FTP/Web Server FTP Bounce Vulnerability
* Fastream NETFile Server File Creation Vulnerability
* FastStone 4in1 Browser Information Disclosure Vulnerability
* File Transfer Anywhere Passwords Disclosure
* FileZilla Server Denial of Service
* FileZilla Server Terminal Privilege Elevation or Arbitrary Code Execution
* Firefly Studios Stronghold 2 Remote Denial of Service
* FL Studio Arbitrary Code Execution
* Fortibus CMS SQL Injection & Information Modification
* forumKIT Cross-Site Scripting
* Foxmail 'MAIL FROM:' Remote Buffer Overflow
* Free SMTP Server As Open Relay
* Freeftpd Denial of Service
* freeFTPd Denial of Service
* F-Secure Anti-Virus for Exchange and Internet Gatekeeper Directory Traversal
* F-Secure ARJ Archive Buffer Overflow
* FTGate Denial of Service or Arbitrary Code Execution
* FTPshell Server Denial of Service
* FUN labs Games Denial of Service Vulnerability
* Funduc Search and Replace Buffer Overflow
* FutureSoft TFTP Server 2000 Directory Traversal & Buffer Overflows
* Gaim File Transfer Remote Denial of Service
* GASoft Gurgens Guest Book Discloses Database and Passwords to Remote Users
* GASoft Ultimate Forum Discloses Database and Passwords to Remote Users
* GD Software SD Server Directory Traversal
* Gene6 FTP Server Insecure Critical Functionality
* GeoVision Digital Video Surveillance System Authentication Bypass
* GFI LANguard Network Security Scanner Password Disclosure
* GFi MailEssentials Denial of Service Vulnerability
* GFI MailSecurity Arbitrary Code Execution or Denial of Service
* GlobalScape CuteFTP Multiple Command Response Buffer Overflow (Updated)
* GlobalSCAPE Secure FTP Server Buffer Overflow Lets Remote Users Execute Arbitrary Code
* GlobalSCAPE Secure FTP Server Buffer Overflow Lets Remote Users Execute Arbitrary Code (Updated)
* GNU DC++ Arbitrary Files Modification Vulnerability
* GNU FileZilla Server Denial of Service Vulnerabilities
* GNU Maxthon Security ID Disclosure Vulnerability
* GNU MyServer Directory Listing and Cross-Site Scripting Vulnerability
* Golden FTP Server File and Path Disclosure
* GoodTech Systems GoodTech SMTP Server "RCPT TO" Denial of Service Vulnerability
* GoodTech Systems Telnet Server for Windows NT/2000/XP/2003 Remote Buffer Overflow
* GoodTech's SMTP Server Arbitrary Code Execution
* Google Talk Denial Of Service
* GoSurf Browser Javascript Spoofing
* Gracebyte Network Assistant Remote Denial of Service
* GraphOn GO-Global For Windows Denial of Service or Arbitrary Code Execution
* Groove Virtual Office / Workspace Multiple Vulnerabilities
* Halocon Remote Denial of Service
* Handy Address Book Server Cross-Site Scripting
* Handy Address Book Server Cross-Site Scripting (Updated)
* Hauri Arbitrary Code Execution
* Hitachi Multiple Hibun Products Security Restriction Bypass
* Home FTP Server Arbitrary File Access
* Hosting Controller Credit Modification or Account Creation
* Hosting Controller Error.ASP Cross Site Scripting
* Hosting Controller Information Disclosure
* Hosting Controller Multiple Information Disclosure
* Hosting Controller Multiple Vulnerabilities
* Hosting Controller 'resellerresources.asp' SQL Injection
* Hosting Controller 'UserProfile.asp' Authentication Bypass
* HP VCRM Password Disclosure
* HTMLJunction EZGuestbook Discloses Database to Remote Users
* Hyper Estraier Information Disclosure
* IA eMailServer Denial of Service
* Iatek PortalApp Cross-Site Scripting Vulnerabilities
* Iatek PortalApp SQL Injection and Cross-Site Scripting Vulnerabilities
* Iatek SiteEnable SQL Command Injection and Cross-Site Scripting Vulnerabilities
* IBM DB2 Denial of Service & Information Disclosure
* IBM Rational ClearQuest Multiple Cross-Site Scripting
* IBM WebSphere Application Server File Servlet Source Code Disclosure
* IBM WebSphere Application Server JSP Engine Source Code Disclosure
* IceWarp Web Mail Cross Site Scripting or Directory Traversal
* IceWarp Web Mail Multiple Remote
* IceWarp Web Mail Multiple Remote Vulnerabilities (Updated)
* iCMS Cross-Site Scripting or SQL Injection
* IISWorks ASPKnowledgeBase Cross-Site Scripting
* IISWorks.com ASP KnowledgeBase Database Disclosure
* IISWorks.com ASP Webmail Database Disclosure
* IISWorks.com Fileman Database Disclosure
* IISWorks.com ListPics Database Disclosure
* IMRadio Password Disclosure
* INCA nProtect Gameguard Unauthorized Read/Write Access
* INCA nProtect Gameguard Unauthorized Read/Write Access (Updated)
* India Software Solution Shopping Cart 'signin.asp' SQL Injection
* Indiatimes Messenger Denial of Service
* InnerMedia DynaZip Arbitrary Code Execution
* Internet Explorer Arbitrary Code Execution
* Intersoft NetTerm Remote Code Execution (Updated)
* Ipswitch IMail Server IMAP EXAMINE Command Remote Buffer Overflow
* Ipswitch IMail Server Multiple Vulnerabilities
* Ipswitch IMail Server Multiple Vulnerabilities (Updated)
* Ipswitch IMail Server Remote Buffer Overflow (Updated)
* Ipswitch IMailMailEnable Denial of Service
* Ipswitch WhatsUp Multiple Vulnerabilities
* Ipswitch WhatsUp Professional SQL Injection Vulnerability
* Ivory.org Whisper 32 Password Disclosure
* IVT BlueSoleil Directory Traversal Vulnerability
* Jeuce Personal Web Server Directory Traversal & Denial of Service
* Jeuce Personal Web Server Remote Denial of Service
* JiRo's Upload System Input Validation Vulnerability Lets Remote Users Inject SQL Commands
* JoWood Chaser Remote Buffer Overflow
* JoWood Productions Soldner Secret Wars Multiple Remote Vulnerabilities
* JView Profiler Arbitrary Code Execution
* KarjaSoft Sami HTTP Server Input Validation Holes
* Kaspersky Anti-Virus Klif.Sys Privilege Escalation Vulnerability
* Kerio Personal Firewall Access Vulnerability
* Kerio Personal Firewall and Server Firewall Denial of Service
* Kerio Products Password Brute Force and Denial of Service
* Kerio WinRoute Firewall Security Restriction Bypassing
* Keyvan1 ImageGallery Information Disclosure Vulnerability
* KF Web Server Directory Listings Disclosure
* KillProcess Arbitrary Code Execution
* K-Meleon Denial of Service
* K-Meleon Denial of Service (Update)
* Kmint Software Golden FTP Server 'USER" Remote Buffer Overflow
* KMiNT21 Software Golden FTP Server RNTO Command Buffer Overflow
* KMiNT21 Software Golden FTP Server RNTO Command Buffer Overflow (Updated)
* LeapFTP Arbitrary Code Execution
* Lightspeed Technologies DeluxeFTP Information Disclosure Vulnerability
* LionMax Software Chat Anywhere Password Disclosure
* livingmailing Input Validation Hole Lets Remote Users Inject SQL Commands
* LocazoList Classifieds Cross-Site Scripting
* LogiSphere Denial of Service
* Loki Download Manager SQL Injection
* LS Games War Times Denial of Service
* M. Dev Software ZipGenius Remote File Creation Vulnerability
* Macallan Mail Solution Denial of Service Vulnerability
* Macromedia Breeze Communication Server Denial of Service
* Macromedia Breeze Information Disclosure
* Macromedia Contribute Publishing Server Information disclosure
* Macromedia Products eLicensing Function Escalated Privilege Vulnerability
* Magnus Lundvall Yawcam Information Disclosure Vulnerability
* MailEnable Arbitrary Code Execution
* MailEnable Arbitrary Code Execution
* MailEnable Arbitrary Code Execution
* MailEnable Arbitrary Code Execution (Updated)
* MailEnable Arbitrary Code Execution or Denial of Service
* MailEnable Denial of Service
* MailEnable Denial of Service
* MailEnable Denial of Service Vulnerability
* MailEnable HTTPMail Vulnerability
* MailEnable IMAP "LOGIN" Command Buffer Overflow Vulnerability
* MailEnable Professional Arbitrary Code Execution
* MailEnable Standard SMTP Format String Vulnerability
* MailEnable Unspecified SMTP Authentication Denial of Service
* MailSite Express Arbitrary Code Execution
* Mall23 SQL Injection
* Mall23 SQL Injection (Updated)
* Massimiliano Montoro Cain Abel Buffer Overflow Causes Remote Code Execution
* MaxWebPortal Cross-Site Scripting and SQL Injection
* MaxWebPortal Input Validation Hole in 'password.asp' Permits SQL Injection
* MaxWebPortal SQL Injection and Cross-Site Scripting Vulnerabilities
* MaxWebPortal SQL Injection and Privilege Escalation
* McAfee Internet Security Suite Elevated Privilege Vulnerability
* McAfee IntruShield Security Management System Cross Site Scripting & Information Disclosure
* McAfee Security Management System Elevated Privileges or Cross Site Scripting
* Media Online Store Portal SQL Injection Vulnerability
* Media2 CMS Shop SQL Injection
* Merak Mail Server Arbitrary File Access
* Mercury Mail Arbitrary Code Execution
* MercurySteam Scrapland Game Server Remote Denials of Service
* Metalinks MetaBid Three SQL Injection Vulnerabilities
* Metalinks MetaCart Multiple SQL Injection Vulnerabilities
* Microsoft ActiveSync Information Disclosure or Denial of Service
* Microsoft Agent Could Allow Spoofing
* Microsoft Agent Could Allow Spoofing
* Microsoft ASP.NET Canonicalization (Updated)
* Microsoft ASP.NET Canonicalization (Updated)
* Microsoft ASP.NET Canonicalization (Updated)
* Microsoft ASP.NET Canonicalization (Updated)
* Microsoft ASP.NET Unicode Character Conversion Multiple Cross-Site Scripting
* Microsoft ASP.NET ViewState Denial of Service and Security Bypass
* Microsoft Client Service for NetWare Arbitrary Code Execution
* Microsoft Client Service for NetWare Arbitrary Code Execution (Updated)
* Microsoft Collaboration Data Objects Arbitrary Code Execution
* Microsoft DirectX DirectShow Arbitrary Code Execution
* Microsoft DirectX DirectShow Arbitrary Code Execution (Updated)
* Microsoft DirectX DirectShow Arbitrary Code Execution (Updated)
* Microsoft DirectX DirectShow Arbitrary Code Execution (Updated)
* Microsoft DirectX DirectShow Arbitrary Code Execution (Updated)
* Microsoft DirectX DirectShow Arbitrary Code Execution (Updated)
* Microsoft Excel Arbitrary Code Execution
* Microsoft Exchange Server 2003 Denial of Service
* Microsoft Exchange Server Nested Subfolders Remote Denial of Service
* Microsoft Exchange Server Remote Code Execution Vulnerability
* Microsoft Exchange Server Remote Code Execution Vulnerability (Updated)
* Microsoft Exchange Server Remote Code Execution Vulnerability (Updated)
* Microsoft FrontPage 2000 DAV File Upload
* Microsoft FrontPage Denial of Service
* Microsoft HTML Help Could Allow Remote Code Execution
* Microsoft IIS Denial of Service
* Microsoft Internet Explorer AddChannel Cross-Zone Scripting
* Microsoft Internet Explorer Arbitrary Code Execution
* Microsoft Internet Explorer Arbitrary Code Execution
* Microsoft Internet Explorer Arbitrary Code Execution
* Microsoft Internet Explorer Arbitrary Code Execution
* Microsoft Internet Explorer Arbitrary Code Execution
* Microsoft Internet Explorer Arbitrary Code Execution
* Microsoft Internet Explorer Arbitrary Code Execution (Updated)
* Microsoft Internet Explorer Arbitrary Code Execution (Updated)
* Microsoft Internet Explorer Arbitrary Code Execution (Updated)
* Microsoft Internet Explorer Arbitrary Code Execution (Updated)
* Microsoft Internet Explorer Arbitrary Code Execution (Updated)
* Microsoft Internet Explorer Arbitrary Code Execution (Updated)
* Microsoft Internet Explorer Could Allow Remote Code Execution
* Microsoft Internet Explorer Denial of Service
* Microsoft Internet Explorer Denial of Service
* Microsoft Internet Explorer Denial of Service (Updated)
* Microsoft Internet Explorer DHTML Edit Control Script Injection (Updated)
* Microsoft Internet Explorer DHTML Edit Control Script Injection (Updated)
* Microsoft Internet Explorer DHTML Edit Control Script Injection (Updated)
* Microsoft Internet Explorer Dialog Origin Spoofing Vulnerability
* Microsoft Internet Explorer Dialog Origin Spoofing Vulnerability (Updated)
* Microsoft Internet Explorer Dynamic IFRAME Security Bypass
* Microsoft Internet Explorer Favorites List
* Microsoft Internet Explorer FTP Download Directory Traversal
* Microsoft Internet Explorer HREF Tag Mouse Event
* Microsoft Internet Explorer Information Disclosure
* Microsoft Internet Explorer Information Disclosure
* Microsoft Internet Explorer Information Disclosure (Updated)
* Microsoft Internet Explorer JavaScript OnLoad Handler Remote Denial of Service
* Microsoft Internet Explorer Lets Remote Users Hide Scripting Code
* Microsoft Internet Explorer Malformed 'File:' URI Denial of Service
* Microsoft Internet Explorer MSHTML.DLL CSS Handling Remote Denial of Service
* Microsoft Internet Explorer Remote Code Execution Vulnerability
* Microsoft Internet Explorer Remote Code Execution Vulnerability (Updated)
* Microsoft Internet Explorer Remote Information Disclosure
* Microsoft Internet Explorer Restricted Sites Malformed URI Remote Denial of Service
* Microsoft Internet Explorer Script-initiated Pop-up Windows Spoofing
* Microsoft Internet Explorer Unauthorized Access
* Microsoft Internet Explorer Unauthorized Access (Updated)
* Microsoft Internet Explorer Unauthorized Access (Updated)
* Microsoft Internet Explorer Unauthorized Access (Updated)
* Microsoft Internet Explorer Vulnerabilities
* Microsoft Internet Explorer Vulnerabilities (Updated)
* Microsoft Internet Explorer Web Folder Behaviors Information Disclosure or Arbitrary Code Execution
* Microsoft Internet Information Server HTTP Response Smuggling
* Microsoft IPV6 TCPIP Loopback LAND Denial of Service Vulnerability
* Microsoft ISA Access and Elevation of Privilege Vulnerabilities
* Microsoft ISA Server in SecureNAT Configuration Denial of Service
* Microsoft Jet Database Remote Code Execution Vulnerability
* Microsoft Jet Database Remote Code Execution Vulnerability (Updated)
* Microsoft Jet Database Remote Code Execution Vulnerability (Updated)
* Microsoft JView Profiler Arbitrary Code Execution (Updated)
* Microsoft Log Sink Class ActiveX Control
* Microsoft Media Player & Windows/MSN Messenger PNG Processing
* Microsoft Media Player & Windows/MSN Messenger PNG Processing (Updated)
* Microsoft Media Player & Windows/MSN Messenger PNG Processing (Updated)
* Microsoft Media Player & Windows/MSN Messenger PNG Processing (Updated)
* Microsoft Media Player & Windows/MSN Messenger PNG Processing (Updated)
* Microsoft Media Player & Windows/MSN Messenger PNG Processing (Updated)
* Microsoft MSN Messenger / Internet Explorer Application Crash
* Microsoft MSN Messenger Remote Code Execution Vulnerability
* Microsoft MSN Messenger Remote Code Execution Vulnerability (Updated)
* Microsoft MSRPC Information Disclosure
* Microsoft NetDDE Remote Code Execution (Updated)
* Microsoft Network Connection Manager Denial of Service
* Microsoft Network Connection Manager Denial of Service (Updated)
* Microsoft Office Denial of Service
* Microsoft Office InfoPath 2003 Information Disclosure Vulnerability
* Microsoft Office RC4 Stream Cipher
* Microsoft Office URL File Location Handling Buffer Overflow
* Microsoft Office URL File Location Handling Buffer Overflow (Updated)
* Microsoft Office URL File Location Handling Buffer Overflow (Updated)
* Microsoft Office URL File Location Handling Buffer Overflow (Updated)
* Microsoft Outlook 2002 Connector For IBM Lotus Domino Policy Bypass Vulnerability
* Microsoft Outlook and Outlook Web Access Email Spoofing Vulnerability
* Microsoft Outlook Express Could Allow Remote Code Execution
* Microsoft Outlook Express Could Allow Remote Code Execution (Updated)
* Microsoft Outlook Express Could Allow Remote Code Execution (Updated)
* Microsoft Outlook Express Information Disclosure or System Crash
* Microsoft Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks
* Microsoft Outlook Web Access URI Redirection
* Microsoft Plug and Play Arbitrary Code Execution or Elevated Privileges
* Microsoft Plug and Play Arbitrary Code Execution or Elevated Privileges (Updated)
* Microsoft Plug and Play Arbitrary Code Execution or Elevated Privileges (Updated)
* Microsoft Remote Desktop Protocol Denial of Service
* Microsoft Server Message Block Could Allow Remote Code Execution
* Microsoft SMTP Remote Code Execution (Updated)
* Microsoft SMTP Remote Code Execution (Updated)
* Microsoft SQL Server 2000 Multiple Vulnerabilities
* Microsoft Step-by-Step Interactive Training Could Allow Remote Code Execution
* Microsoft Telephony Service Remote Code Execution
* Microsoft Telnet Client Could Allow Information Disclosure
* Microsoft Update Rollup 1 for Windows 2000 SP4
* Microsoft Web Client Service Could Allow Remote Code Execution
* Microsoft Windows 2000 Group Restriction Bypass
* Microsoft Windows ANI File Parsing Errors (Updated)
* Microsoft Windows ANI File Parsing Errors (Updated)
* Microsoft Windows ANI File Parsing Errors (Updated)
* Microsoft Windows ANI File Parsing Errors (Updated)
* Microsoft Windows ANI File Parsing Errors (Updated)
* Microsoft Windows ANI File Parsing Errors (Updated)
* Microsoft Windows ANI File Parsing Errors (Updated)
* Microsoft Windows Color Management Module Buffer Overflow or Arbitrary Code Execution
* Microsoft Windows Color Management Module Buffer Overflow or Arbitrary Code Execution (Updated)
* Microsoft Windows CreateRemoteThread Denial of Service
* Microsoft Windows Drag and Drop
* Microsoft Windows EMF File Denial of Service Vulnerability
* Microsoft Windows EMF File Denial of Service Vulnerability (Updated)
* Microsoft Windows Explorer and Internet Explorer Denial of Service Vulnerability
* Microsoft Windows Explorer Preview Pane Script Injection Vulnerability
* Microsoft Windows Explorer Preview Pane Script Injection Vulnerability (Updated)
* Microsoft Windows FTP Client Arbitrary File Control
* Microsoft Windows FTP Client Arbitrary File Control (Updated)
* Microsoft Windows Graphics Rendering Engine Arbitrary Code Execution
* Microsoft Windows HTML Help ActiveX Control
* Microsoft Windows HTML Help ActiveX Control (Updated)
* Microsoft Windows Hyperlink Object Library Buffer Overflow
* Microsoft Windows Hyperlink Object Library Buffer Overflow (Updated)
* Microsoft Windows Hyperlink Object Library Buffer Overflow (Updated)
* Microsoft Windows Image Rendering Denial of Service Vulnerability
* Microsoft Windows Indexing Service Buffer Overflow
* Microsoft Windows Indexing Service Buffer Overflow (Updated)
* Microsoft Windows Kerberos PKINIT Information Disclosure or Denial of Service
* Microsoft Windows Kerberos PKINIT Information Disclosure or Denial of Service
* Microsoft Windows Kernel Denial Of Service
* Microsoft Windows Kernel Elevation of Privilege and Denial of Service Vulnerabilities
* Microsoft Windows Kernel Elevation of Privilege and Denial of Service Vulnerabilities (Updated)
* Microsoft Windows Kernel Elevation of Privilege and Denial of Service Vulnerabilities (Updated)
* Microsoft Windows LAND Attack Remote Denial of Service
* Microsoft Windows License Logging Service Buffer Overflow
* Microsoft Windows License Logging Service Buffer Overflow (Updated)
* Microsoft Windows License Logging Service Buffer Overflow (Updated)
* Microsoft Windows License Logging Service Buffer Overflow (Updated)
* Microsoft Windows License Logging Service Buffer Overflow (Updated)
* Microsoft Windows LoadImage API Buffer Overflow (Updated)
* Microsoft Windows LoadImage API Buffer Overflow (Updated)
* Microsoft Windows LoadImage API Buffer Overflow (Updated)
* Microsoft Windows Local Denial Of Service Vulnerability
* Microsoft Windows Media Player May Allow Redirection
* Microsoft Windows Message Queuing Remote Code Execution Vulnerability
* Microsoft Windows Message Queuing Remote Code Execution Vulnerability (Updated)
* Microsoft Windows Message Queuing Remote Code Execution Vulnerability (Updated)
* Microsoft Windows MSDTC and COM+ Privilege Elevation, Arbitrary Code Execution, or Denial of Service
* Microsoft Windows MSDTC and COM+ Privilege Elevation, Arbitrary Code Execution, or Denial of Service (Updated)
* Microsoft Windows MSDTC and COM+ Privilege Elevation, Arbitrary Code Execution, or Denial of Service (Updated)
* Microsoft Windows MSDTC and COM+ Privilege Elevation, Arbitrary Code Execution, or Denial of Service (Updated)
* Microsoft Windows Network Connections Manager Library Denial of Service
* Microsoft Windows NTFS File Block Initialization
* Microsoft Windows OLE / COM Remote Code Execution
* Microsoft Windows Plug and Play Arbitrary Code Execution
* Microsoft Windows Plug and Play Arbitrary Code Execution (Updated)
* Microsoft Windows Plug and Play Arbitrary Code Execution (Updated)
* Microsoft Windows Print Spooler Arbitrary Code Execution
* Microsoft Windows Privilege Elevation
* Microsoft Windows Privilege Elevation (Updated)
* Microsoft Windows Remote Desktop Denial of Service
* Microsoft Windows Remote Desktop Protocol Private Key Disclosure
* Microsoft Windows Remote Desktop Protocol Server Private Key Disclosure
* Microsoft Windows Remote Desktop 'TSShutdn.exe' Denial of Service Vulnerability
* Microsoft Windows Resource Kit 'w3who.dll' Buffer Overflow & Input Validation (Updated)
* Microsoft Windows Server 2003 Local Denial of Service Vulnerabilities
* Microsoft Windows SharePoint Services Cross-Site Scripting & Spoofing
* Microsoft Windows SharePoint Services Cross-Site Scripting & Spoofing (Updated)
* Microsoft Windows Shell Arbitrary Code Execution
* Microsoft Windows Shell Arbitrary Code Execution (Updated)
* Microsoft Windows Shell Remote Code Execution (Updated)
* Microsoft Windows Shell Remote Code Execution Vulnerability
* Microsoft Windows Shell Remote Code Execution Vulnerability (Updated)
* Microsoft Windows SMB Buffer Overflow
* Microsoft Windows SMB Buffer Overflow (Updated)
* Microsoft Windows SMB Buffer Overflow (Updated)
* Microsoft Windows SMB Buffer Overflow (Updated)
* Microsoft Windows TCP/IP Remote Code Execution and Denial of Service Vulnerabilities
* Microsoft Windows TCP/IP Remote Code Execution and Denial of Service Vulnerabilities (Updated)
* Microsoft Windows TCP/IP Remote Code Execution and Denial of Service Vulnerabilities (Updated)
* Microsoft Windows TCP/IP Remote Code Execution and Denial of Service Vulnerabilities (Updated)
* Microsoft Windows USB Driver Buffer Overflow
* Microsoft Windows 'User32.DLL' Icon Handling Remote Denial of Service
* Microsoft Windows XP Named Pipe Information Disclosure
* Microsoft Windows XP Windows Management Instrumentation Denial of Service
* Microsoft Windows XP Wireless Zero Configuration Service Information Disclosure
* Microsoft WINS Name Validation (Updated)
* Microsoft WINS Name Validation (Updated)
* Microsoft Word Buffer Overflow or Arbitrary Code Execution
* Microsoft Word MCW File Handler Buffer Overflow Vulnerability
* Microsoft Word Remote Code Execution & Escalation of Privilege Vulnerabilities (Updated)
* Microsoft Word Remote Code Execution and Escalation of Privilege Vulnerabilities
* Microsoft Word Remote Code Execution and Escalation of Privilege Vulnerabilities (Updated)
* Microsoft Word Remote Code Execution and Escalation of Privilege Vulnerabilities (Updated)
* Microsoft Word Remote Code Execution and Escalation of Privilege Vulnerabilities (Updated)
* MindAlign Multiple Vulnerabilities
* Miranda IM PopUp Plus Plugin Remote Code Execution Vulnerability
* Miranda IM PopUp Plus Plugin Remote Code Execution Vulnerability (Updated)
* Mozilla Bugzilla Internal Error
* Mozilla Firefox Download Dialog Spoofing Vulnerabilities
* MS ASP.NET Denial of Service
* MSN Messenger Protocol Denial of Service
* Multi-Computer Control System Denial of Service
* Multiple Vendor Arbitrary Code Execution
* Multiple Vendor ZoneAlarm Denial of Service
* Multiple Vendors Mozilla/Netscape/Firefox Browser Modal Dialog Spoofing
* Multiple Vendors Mozilla/Netscape/Firefox Browser Modal Dialog Spoofing (Updated)
* Musicmatch Jukebox Elevated Privilege and Cross-Site Scripting Vulnerabilities
* My Album Information Disclosure
* MyInternet Browser Javascript Spoofing
* Mysoft Technology Maxthon "m2_search_text" Information Disclosure Vulnerability
* MyTemplateSite Cross-Site Scripting
* NateOn Messenger Arbitrary Code Execution or Denial of Service
* Naxtor e-Directory Cross-Site Scripting or SQL Injection
* Naxtor Shopping Cart Cross-Site Scripting or SQL Injection
* Neslo Desktop Rover Denial of Service Vulnerability
* NetAuctionHelp Auction Software Cross-Site Scripting
* NetCaptor Browser Javascript Spoofing
* NetCPlus BusinessMail Server SMTP Command Validation Error Remote Denial of Service
* NetLeaf Limited NotJustBrowsing Discloses Application Passwords
* NetManage RUMBA Profile Handling Multiple Buffer Overflow
* NetManage RUMBA Profile Handling Multiple Buffer Overflow (Updated)
* NetObjects Fusion Information Disclosure
* Netscape Browser Information Disclosure Vulnerability
* Netscape Denial of Service
* Netscape IDN Implementation URL Spoof
* NetWin DMail Errors Let Remote Users Bypass Authentication and Execute Code
* NetworkActiv Web Server Cross-Site Scripting
* Network-Client.com FTP Now Local Information Disclosure Vulnerability
* Newmad Technologies PicoWebServer Remote Buffer Overflow
* NEXTWEB (i)Site Discloses Database and Passwords to Remote Users and Permits SQL Injection
* NodeManager SNMPv1 traps Buffer Overflow
* NodeManager SNMPv1 traps Buffer Overflow (Updated)
* Nortel Contivity VPN Client Password Disclosure Vulnerability
* Nortel Contivity VPN Client Password Disclosure Vulnerability (Updated)
* Nortel VPN Client Privilege Elevation
* Notify Technology NotifyLink Enterprise Server Multiple Vulnerabilities
* NotJustBrowsing Browser Javascript Spoofing
* Novell eDirectory Can Be Crashed With Requests Containing MS-DOS Device Names
* Novell eDirectory Denial of Service or Unauthorized File Access
* Novell eDirectory Security Bypass
* Novell GroupWise Arbitrary Code Execution
* Novell GroupWise Client Local Password Disclosure
* Novell Nsure Audit Denial of Service Vulnerability
* Nullsoft Winamp Malformed MP4 Remote Denial of Service (Updated)
* Nullsoft Winamp Multiple Unspecified Vulnerabilities
* Nullsoft Winamp Variant IN_CDDA.dll Remote Buffer Overflow
* OASYS Lite Cross-Site Scripting
* Ocean12 Calendar Manager Pro Authentication Bypassing
* Ocean12 Calendar Manager SQL Injection Vulnerability
* Ocean12 Mailing List Manager Remote SQL Injection
* Ocean12 Membership Manager Pro Cross-Site Scripting and SQL Injection Vulnerability
* OKBSYS Lite Cross-Site Scripting
* Oleh Yuschuk OllyDbg Error in Loading Causes Denial of Service Vulnerability
* Omni Browser Javascript Spoofing
* OneWorldStore Denial of Service Vulnerability
* OneWorldStore Information Disclosure Vulnerability
* OneWorldStore Multiple Vulnerabilities
* OpenConnect Systems WebConnect Remote Denial of Service and Information Disclosure
* OpenConnect Systems WebConnect Remote Denial of Service and Information Disclosure (Updated)
* Opera 'data:' URI Handler Spoofing
* Opera Web Browser Download Dialog File Manipulation
* Optimal Desktop Javascript Spoofing
* Orenosv HTTP/FTP Server Buffer Overflows
* Orvado ASP Nuke SQL Injection and Cross-Site Scripting Vulnerabilities
* OS4E 'LOGIN.ASP' SQL Injection
* Painkiller Buffer Overflow Remote Denial of Service
* Panda Software Antivirus Library ZOO Archive Heap Overflow
* pcAnywhere Authentication Denial of Service Vulnerability
* Peer2Mail Password Disclosure
* Peer2Mail Password Disclosure (Updated)
* Pegasus Mail Arbitrary Code Execution
* Perception LiteWeb Protected File Access Vulnerability
* Piotr Kowalski LANChat Pro Remote Denial of Service
* PlatinumFTPServer Malformed User Name Connection Remote Denial of Service
* PMSoftware Simple Web Server Buffer Overflow Permits Remote Code Execution
* PMSoftware Simple Web Server Remote Code Execution Vulnerability (Updated)
* PowerArchiver Arbitrary Code Execution
* PPP Infotech netMailshar Professional Two Vulnerabilities
* Pragma TelnetServer Lets Remote Users Hide Log Entries
* Prevx Pro File Modification & Driver Spoofing
* PrivaShare Denial of Service
* Process Explorer Arbitrary Code Execution
* ProRat Server Arbitrary Code Execution
* PY Software Active Webcam Webserver Remote Denials of Service & Information Disclosure
* Qualcomm Eudora E-mail, Stationary/Mailbox Files Remote Code Execution
* Quick 'n Easy FTP Server Denial of Service
* RaidenHTTPD Directory Traversal
* RaidenHTTPD Multiple Remote Vulnerabilities
* Randy Wable datatrac Denial of Service Vulnerability
* RARLAB WinRAR Directory Traversal
* Raysoft Video Cam Server Multiple Vulnerabilities
* RealArcade Vulnerabilities
* RealNetworks Realplayer Enterprise Buffer Overflow Vulnerability
* RealPlayer Enterprise Arbitrary Code Execution
* RealPlayer Security Zone Bypass
* Rebrand P2P Share Spy Information Disclosure Vulnerability
* Rediff Bol Window's Address Book Disclosure
* Reflection for Secure IT Multiple Vulnerabilities
* RhinoSoft Serv-U FTP Server Remote Denial of Service
* RockLiffe MailSite Express WebMail Multiple Vulnerabilities
* RSA ACE/ Agent for Web Cross Site Scripting
* RSA Authentication Agent for Web Buffer Overflow Vulnerability
* RSA Authentication Agent for Web Buffer Overflow Vulnerability (Updated)
* RSA Authentication Agent for Web for IIS Cross-Site Scripting Vulnerability
* RSA Authentication Agent for Web for IIS Cross-Site Scripting Vulnerability (Updated)
* Runtime GetDataBack for NTFS Local Information Disclosure Vulnerability
* rwAuction Pro Cross-Site Scripting
* SafeNet Sentinel License Manager Remote Buffer Overflow
* SafeNet Sentinel License Manager Remote Buffer Overflow (Updated)
* SafeNet SoftRemote VPN Client Key Disclosure
* Savant Web Server Remote Buffer Overflow
* Savant Web Server User Information Disclosure
* SecureOL VE2 Security Restriction Bypass
* SecureW2 Information Disclosure
* SecureW2 Information Disclosure (Updated)
* ServersCheck Directory Traversal
* Serv-U FTP Server Denial of Service
* Sights 'n Sounds Streaming Media Server Denial of Service
* Sigma ISP Manager SQL Injection Vulnerabilities
* SiteBeater MP3 Catalog Cross-Site Scripting
* SiteBeater News System Cross-Site Scripting
* Skype for Windows Security Bypass
* Slim Browser Javascript Spoofing
* SlimFTPd Arbitrary Code Execution
* SlimFTPd Denial of Service
* Small HTTP Server Arbitrary File Writing
* SmarterMail Cross-Site Scripting
* SnugServer FTP Service Directory Traversal
* soft3304 04WebServer Directory Traversal
* software602 602LAN SUITE HTML Log File Processing Flaw Lets Remote Users Hide Log Entries
* Software602 602LAN SUITE Input Validation
* Software602 602LAN SUITE Input Validation (Updated)
* Software602 602LAN SUITE Local File Detection and Denial of Service
* Software602 602LAN SUITE Local File Detection and Denial of Service (Updated)
* Softwin BitDefender Insecure Program Execution Vulnerability
* Solupress News Cross-Site Scripting
* Sony SunnComm MediaMax Insecure Directory Permissions (Updated)
* Sophos Anti-Virus Denial of Service
* SpeedProject Arbitrary Code Execution
* SSH Secure Shell and Tectia Server Key Disclosure
* SSH Secure Shell and Tectia Server Key Disclosure (Updated)
* StoneGate Firewall and VPN Engine Denial of Service
* Storage Exec/ StorageCentral Arbitrary Code Execution
* Storage Exec/ StorageCentral Arbitrary Code Execution
* StorePortal Multiple SQL Injection High
* Stormy Studios KNet Remote Buffer Overflow
* StumbleInside GoText Discloses Users Configuration Data
* Sukru Alatas's Guestbook Database Disclosure
* Sun Java System Web Server Denial of Service Vulnerability
* Sybari Antigen for Exchange Security Bypass
* Sybase Adaptive Server Enterprise Unspecified Vulnerability
* Symantec Anti Virus Arbitrary Code Execution
* Symantec Anti Virus Arbitrary Code Execution (Updated)
* Symantec Anti Virus Password Disclosure
* Symantec AntiVirus Corporate Edition and Client Security Privilege Elevation
* Symantec AntiVirus Products RAR Archive Virus Detection Bypass
* Symantec AntiVirus SMB Scan Detection Bypass
* Symantec 'CcErrDsp.ErrorDisplay.1' ActiveX Buffer Overflow
* Symantec Discovery Unauthorized Access
* Symantec Multiple Products AutoProtect Errors Denial of Service Vulnerability
* Symantec Multiple Products AutoProtect Errors Denial of Service Vulnerability (Updated)
* Symantec Norton GoBack Lets Local Users Bypass Authentication
* Symantec pcAnywhere Privilege Escalation Vulnerability
* TAC Vista Directory Traversal
* TCP Chat Denial of Service
* TCP-IP Datalook Denial of Service
* Team JohnLong RaidenFTPD Information Disclosure Vulnerability
* Techland Xpand Rally Remote Denial of Service
* Techland XPand Rally Remote Format String
* Techno Dreams Multiple Product SQL Injection
* ThePoolClub iPool Information Disclosure Vulnerability
* ThePoolClub iSnooker Information Disclosure Vulnerability
* ToCA Race Driver Arbitrary Code Execution
* TrackerCam Multiple Remote Vulnerabilities
* TrackerCam Multiple Remote Vulnerabilities (Updated)
* Trend Micro OfficeScan Information Disclosure
* Trend Micro PC-cillin Privilege Elevation
* Trend Micro ServerProtect Multiple Vulnerabilities
* Typsoft FTP Server Denial of Service
* Uapplication Products Password Disclosure
* Uapplication Ublog Cross-Site Scripting Vulnerability
* Ubisoft The Settlers: Heritage of Kings Player Logging Buffer Overflow Vulnerability
* Ublog Reload SQL Injection and Cross-Site Scripting
* UR Software W32Dasm Remote Buffer Overflow
* UStore Cross-Site Scripting or SQL Injection
* VERITAS Backup Exec Buffer Overflow (Updated)
* Veritas Backup Exec Multiple Vulnerabilities
* Veritas Backup Exec Multiple Vulnerabilities (Updated)
* VERITAS NetBackup Arbitrary Code Execution
* VERITAS NetBackup Arbitrary Code Execution (Updated)
* Veritas NetBackup Denial of Service
* Virtools Web Player Arbitrary Code Execution or Arbitrary File Control
* VLAIBB 'sig2dat' Integer Overflow & Remote Denial of Service
* VP-ASP Shopping Cart Cross-Site Scripting
* VP-ASP SQL Injection
* vxFtpSrv Arbitrary Code Execution
* vxTftpSrv Arbitrary Code Execution
* vxWeb Denial of Service
* Walla! TeleSite SQL Injection or Cross-Site Scripting
* War FTP Daemon Remote Denial of Service
* Watchfire AppScan Arbitrary Code Execution
* Web Vulnerability Scanner Denial of Service
* Web Wiz Forums Information Disclosure
* WebEOC Multiple Vulnerabilities
* WebInspect Cross Site Scripting
* Webroot Desktop Firewall Authentication Bypassing or Arbitrary Code Execution
* Webroot Software My Firewall Plus Arbitrary File Corruption Vulnerability
* WebWasher Classic HTTP CONNECT Unauthorized Access
* WebWasher Classic HTTP CONNECT Unauthorized Access (Updated)
* WhatsUp Small Business Directory Traversal and Information Disclosure
* WheresJames Webcam Publisher Remote Code Execution Vulnerability
* Wichio 27Tools-in-1 Browser Javascript Spoofing
* Winace Remote Directory Traversal
* Winamp Arbitrary Code Execution
* WinHKI Multiple Remote Vulnerabilities
* Winmail Server Multiple Vulnerabilities
* WinRAR Arbitrary Code Execution
* WMailserver Information Disclosure
* WMR Simpson BookReview Input Validation Holes Permit Cross-Site Scripting & Path Disclosure
* Woodstone Servers Alive Help Function Escalated Privilege Vulnerability
* Woppoware PostMaster Multiple Vulnerabilities
* Working Resources BadBlue MFCISAPICommand Remote Buffer Overflow
* WSW ShowOff! Digital Media Software Two Vulnerabilities
* WWWeb Concepts Events System Input Validation Vulnerability
* WWWguestbook SQL Injection
* XcClassified Cross-Site Scripting
* XcPhotoAlbum Cross-Site Scripting
* Xinkaa WEB Station Directory Traversal
* X-Ways WinHex Denial of Service Vulnerability
* Yager Denial of Service and Remote Code Execution Vulnerabilities
* Yahoo! Messenger Custom Message Buffer Overflow
* Yahoo! Messenger Download Dialogue Box File Name Spoofing
* Yahoo! Messenger Insecure Default Installation
* Yahoo! Messenger URL Handler Remote Denial Of Service Vulnerability
* Yaosoft COOL! Remote Control Denial of Service
* YusASP Web Asset Manager Unauthorized Access
* ZipGenius Arbitrary Code Execution
* ZipGenius Multiple Directory Traversal Vulnerabilities
* ZipTorrent Password Disclosure
* ZixForum SQL Injection
* Zone Labs ZoneAlarm Vet Antivirus Engine Buffer Overflow
* ZonGG Input Validation Hole in 'ad/login.asp' Permits SQL Injection

[back to top]

#
Unix/ Linux Operating Systems

* 4D WebSTAR Grants Access to Remote Users and Elevated Privileges to Local Users
* 4D WebStar Remote IMAP Denial of Service
* 4D WebStar Tomcat Plugin Remote Buffer Overflow
* 4D WebStar Tomcat Plugin Remote Buffer Overflow (Updated)
* Abuse Multiple Vulnerabilities
* Adobe Acrobat Reader mailListIsPdf() Buffer Overflow (Updated)
* Adobe Acrobat Reader mailListIsPdf() Buffer Overflow (Updated)
* Adobe Acrobat Reader UnixAppOpenFilePerform Buffer Overflow
* Adobe Acrobat Reader UnixAppOpenFilePerform Buffer Overflow (Updated)
* Adobe Reader / Acrobat Arbitrary Code Execution & Elevated Privileges
* Adobe Reader For Unix Local File Disclosure
* Adobe Version Cue for Mac OS X Elevated Privileges
* Adobe Version Cue for Mac OS X Elevated Privileges (Updated)
* ADP Elite System Max 9000 Series Shell Access
* Adrian Pascalau GIPTables Firewall Insecure Temporary File Creation
* Alexander Barton ngIRCd Remote Buffer Overflow
* Alexander Barton ngIRCd Remote Format String
* Alexander Palmo Simple PHP Blog Remote Directory Traversal
* Alexis Sukrieh Backup Manager Information Disclosure
* Alexis Sukrieh Backup Manager Information Disclosure (Updated
* Alkalay.Net Multiple Scripts Arbitrary Remote Command Execution & Directory Traversal
* AlmondSoft Almond Classifieds SQL Injection
* ALSA Stack Protection Weakness
* AltantForum Multiple Cross-Site Scripting
* Andrew Church IRC Services LISTLINKS Information Disclosure
* Andrew W. Rogers pcal Buffer Overflows (Updated)
* Apache Insecure Temporary File Creation
* Apache mod_include Buffer Overflow (Updated)
* Apache mod_include Buffer Overflow (Updated)
* Apache Mod_Proxy Remote Buffer Overflow (Updated)
* Apache mod_ssl Denial of Service (Updated)
* Apache mod_ssl Remote Denial of Service (Updated)
* Apache Mod_SSL SSL_Util_UUEncode_Binary Stack Buffer Overflow (Updated)
* Apache mod_ssl SSLCipherSuite Access Validation (Updated)
* Apache mod_ssl SSLCipherSuite Access Validation (Updated)
* Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass
* Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
* Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
* Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
* Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
* Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
* Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
* Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
* Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
* Apache SpamAssassin Lets Remote Users Deny Service
* Apache SpamAssassin Lets Remote Users Deny Service (Updated)
* Apache SpamAssassin Lets Remote Users Deny Service (Updated)
* ApacheTop Insecure Temporary File Creation
* Appfluent Technology Database IDS Buffer Overflow
* Appfluent Technology Database IDS Buffer Overflow (Updated)
* Apple ColorSync ICC Header Remote Buffer Overflow
* Apple iSync mRouter Buffer Overflow
* Apple iSync mRouter Buffer Overflow
* Apple Keynote 'keynote:' Lets Remote Users Access Local Files
* Apple Mac OS X AirPort Card Automatic Network Association
* Apple Mac OS X AppleFileServer Remote Denial of Service
* Apple Mac OS X 'at' Utility Information Disclosure
* Apple Mac OS X 'at' Utility Information Disclosure (Updated)
* Apple Mac OS X Default Pseudo-Terminal Permission
* Apple Mac OS X Finder 'DS_Store' Insecure File Creation
* Apple Mac OS X Font Book Font Collection Buffer Overflow
* Apple Mac OS X Java Update
* Apple Mac OS X Kernel searchfs() Buffer Overflow
* Apple Mac OS X Multiple Arbitrary Code Execution Vulnerabilities
* Apple Mac OS X Multiple Vulnerabilities
* Apple Mac OS X Multiple Vulnerabilities
* Apple Mac OS X Multiple Vulnerabilities
* Apple Mac OS X Multiple Vulnerabilities
* Apple Mac OS X Multiple Vulnerabilities (Updated)
* Apple Mac OS X Multiple Vulnerabilities (Updated)
* Apple Mac OS X NetInfo Setup Tool Buffer Overflow
* Apple Mac OS X NetInfo Setup Tool Buffer Overflow (Updated)
* Apple Mac OS X 'parse_machfile()' Denial of Service
* Apple Mac OS X Perl Privilege Dropping
* Apple Mac OS X Security Update
* Apple Mac OS X Security Update
* Apple Mac OS X Security Update
* Apple Mac OS X Vulnerabilities
* Apple MacOS X Vulnerabilities
* Apple Mail EMail Message ID Header Information Disclosure
* Apple QuickTime Quartz Composer File Information Disclosure
* Apple QuickTime Quartz Composer File Information Disclosure (Updated)
* Apple Safari Data URI Memory Corruption
* Apple Safari Dialog Box Origin Spoofing
* Apple Safari IDN Implementation URL Spoof
* Apple Safari IDN Implementation URL Spoof (Updated)
* Apple Safari Input Validation
* Apple Safari Input Validation (Updated)
* Apple Safari Open Windows Injection (Updated)
* Apple Safari Web Browser HTTPS Denial of Service
* Apple Safari Web Browser JavaScript Remote Denial of Service
* APSIS Pound Remote Buffer Overflow
* APSIS Pound Remote Buffer Overflow (Updated)
* Arc Insecure Temporary File Creation
* Arc Insecure Temporary File Creation (Updated)
* ARJ Software UNARJ Remote Buffer Overflow (Updated)
* ARJ Software UNARJ Remote Buffer Overflow (Updated)
* ARJ Software UNARJ Remote Buffer Overflow (Updated)
* ARJ Software UNARJ Remote Buffer Overflow (Updated)
* Astaro Security Linux HTTP CONNECT Unauthorized Access
* Astaro Security Linux HTTP CONNECT Unauthorized Access (Updated)
* Astaro Security Linux ISAKMP IKE Traffic Denial of Service
* Astaro Security Linux PPTP Server Unspecified Remote Denial of Service
* Asterisk Voicemail Unauthorized Access
* Atlant Pro Cross-Site Scripting
* Avaya Labs Libsafe Multi-threaded Process Race Condition Security Bypass
* Backup Manager File Permissions
* BackupNinja Insecure Temporary File Creation
* Bacula Insecure Temporary File Creation
* Bacula Insecure Temporary File Creation (Updated)
* BeMoore Software News2Net SQL Injection
* Benchmark Designs WHM AutoPilot 'server_inc' Include File Flaw
* Berlios GPSD Remote Format String
* Bidwatcher Remote Format String
* Bidwatcher Remote Format String (Updated)
* Binary Board System Multiple Cross-Site Scripting
* Black List Daemon select() Remote Buffer Overflow
* Black List Daemon select() Remote Buffer Overflow (Updated)
* Blog Torren