Nabble - Vulnerability - VulnDiscuss

Microsoft FTP Client Multiple Bufferoverflow Vulnerability

2007-11-27T22:14:06Z

Microsoft FTP Client Multiple Bufferoverflow
Vulnerability

#####################################################################

XDisclose Advisory : XD100096
Vulnerability Discovered: November 20th 2007
Advisory Reported : November 28th 2007
Credit : Rajesh Sethumadhavan

Class : Buffer Overflow
Denial Of Service
Solution Status : Unpatched
Vendor : Microsoft Corporation
Affected applications : Microsoft FTP Client
Affected Platform : Windows 2000 server
Windows 2000 Professional
Windows XP
(Other Versions may be also effected)

#####################################################################

Overview:
Bufferoverflow vulnerability is discovered in
microsoft ftp client. Attackers can crash the ftp
client of the victim user by tricking the user.

Description:
A remote attacker can craft packet with payload in the
"mget", "ls", "dir", "username" and "password"
commands as demonstrated below. When victim execute
POC or specially crafted packets, ftp client will
crash possible arbitrary code execution in contest of
logged in user. This vulnerability is hard to exploit
since it requires social engineering and shellcode has
to be injected as argument in vulnerable commands.

The vulnerability is caused due to an error in the
Windows FTP client in validating commands like "mget",
"dir", "user", password and "ls"

Exploitation method:

Method 1:
-Send POC with payload to user.
-Social engineer victim to open it.

Method 2:
-Attacker creates a directory with long folder or
filename in his FTP server (should be other than IIS
server)
-Persuade victim to run the command "mget", "ls" or
"dir" on specially crafted folder using microsoft ftp
client
-FTP client will crash and payload will get executed

Proof Of Concept:
http://www.xdisclose.com/poc/mget.bat.txt
http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt

Note: Modify POC to connect to lab FTP Server
(As of now it will connect to
ftp://xdisclose.com)

Demonstration:
Note: Demonstration leads to crashing of Microsoft FTP
Client

Download POC rename to .bat file and execute anyone of
the batch file
http://www.xdisclose.com/poc/mget.bat.txt
http://www.xdisclose.com/poc/username.bat.txt
http://www.xdisclose.com/poc/directory.bat.txt
http://www.xdisclose.com/poc/list.bat.txt

Solution:
No Solution

Screenshot:
http://www.xdisclose.com/images/msftpbof.jpg

Impact:
Successful exploitation may allows execution of
arbitrary code with privilege of currently logged in
user.

Impact of the vulnerability is system level.

Original Advisory:
http://www.xdisclose.com/advisory/XD100096.html

Credits:
Rajesh Sethumadhavan has been credited with the
discovery of this vulnerability

Disclaimer:
This entire document is strictly for educational,
testing and demonstrating purpose only. Modification
use and/or publishing this information is entirely on
your own risk. The exploit code/Proof Of Concept is to
be used on test environment only. I am not liable for
any direct or indirect damages caused as a result of
using the information or demonstrations provided in
any part of this advisory.

____________________________________________________________________________________
Be a better pen pal.
Text or chat with friends inside Yahoo! Mail. See how. http://overview.mail.yahoo.com/

PacSec 2007 Agenda (Tokyo 11-29/30)

2007-10-21T22:42:52Z

Talk selections for PacSec 2007 - November 29 and 30 - Aoyama Diamond Hall

-------
- Programmed I/O accesses: a threat to virtual machine monitors? - Loic
Duflot,

- Developing Fuzzers with Peach - Michael Eddington, Leviathan Security

- Cyber Attacks Against Japan - Hiroshi Kawaguchi, LAC

- Windows Localization: Owning Asian Windows Versions - Kostya Kortchinsky,
Immunity

- TOMOYO Linux - Toshiharu Harada, NTT Data

- IPV6 Demystified - Jun-ichiro itojun Hagino , IPv6Samurais

- Automated JavaScript Deobfuscation - Alex Rice, Websense Security Labs

- Enter Sandman (why you should never go to sleep) - Nicolas Ruff & Matthieu
Suiche, EADS

- Agent-oriented SQL Abuse - Fernando Russ & Diego Tiscornia, Core

- Bad Ideas: Using a JVM/CLR for Intellectual Property Protection - Marc
Schoenefeld, University of Bamberg

- Heap exploits are dead. Heap exploits remain dead. And we have killed them.
- Nicolas Waisman, Immunity

- Deploying and operating a Global Distributed Honeynet - David Watson,
Honeynet Project

- Office 0days and the people who love them - TBA, Microsoft
.
(I would also like to thank Colin Delaney and Stephen Ridley as standby
presenters)

------

Final Dojo schedule will be announced shortly but will include
both English and Japanese language dojos. In English Dojos will
include: Saumil Shah's Exploit Lab, Andrea Barisani's Linux Hardening,
and the folks from Immunity doing a course on bugfinding
with the Immunity debugger. In Japanese: Yuji Ukai will be
doing a reverse engineering course, and the McAfee/Foundstone
folks will be translating their Ultimate Web Hacking course into
Japanese for the first time. Dojos will be on Nov 27/28.

Talk descriptions will be up shortly. :-)

cheers,
--dr

P.s. other 2008 dates: CanSecWest March 26-28, EUSecWest May21/22
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan November 29/30 - 2007 http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp

Re: iDefense Security Advisory 10.02.07: Sun Microsystems Solaris FIFO FS Information Disclosure Vulnerability

2007-10-04T12:16:02Z

Zaraza,

Thank you for pointing out the misleading text. The vulnerability is a
signedness error which leads to information disclosure. We have updated
the advisory to read as follows.

===
negative value can cause large amounts of kernel memory contents to be
disclosed.
===

VeriSign iDefense Labs

> From: 3APA3A <3APA3A_at_SECURITY.NNOV.RU>
> Date: Thu, 4 Oct 2007 20:38:51 +0400
>
> Dear iDefense Labs,
>
> Can you please clarify this issue? According to subject it looks like
> information leak (information disclosure) issue, while according to
> description, it looks more like memory leak (Denial of Service) issue.

iDefense Security Advisory 08.14.07: Microsoft Windows Vista Sidebar RSS Feeds Gadget Cross Site Scripting Vulnerability

2007-08-14T16:34:59Z

Microsoft Windows Vista Sidebar RSS Feeds Gadget Cross Site Scripting
Vulnerability

iDefense Security Advisory 08.14.07
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 14, 2007

I. BACKGROUND

The Vista sidebar is a desktop extension that allows the user to keep a
number of "gadgets", which are mini-applications, running in constant
view on the desktop. Vista provides a number of default gadgets, such
as a calendar, a weather tool, and an RSS feed reader.

RSS feeds allow a content provider, such as a website, to let others
receive a stream of "headlines" describing content on the provider's
site. The feeds are often updated frequently, and allow a user to
receive information from a site without having to visit it. For
example, a user may subscribe to a news feed that updates every hour
with the headlines of top news stories. In order to subscribe to a
feed, a user needs a feed reader. Modern browsers, such as Internet
Explorer, provide a feed reader within the browser.

For more information about the Vista Sidebar and Gadgets please see the
following URL.

http://www.microsoft.com/windows/products/windowsvista/features/details/sidebargadgets.mspx

II. DESCRIPTION

Remote exploitation of a Cross Site Scripting (XSS) vulnerability in the
Windows Vista Sidebar RSS Gadget allows an attacker to execute arbitrary
code with the privileges of the logged in user.

The vulnerability exists within the parsing of the certain elements of
the items in an RSS feed. A properly crafted HTML tag within these
elements will not be removed, and will be rendered by the RSS gadget.
Since the RSS gadget runs in the local zone, the injected JavaScript
has full access to the system.

III. ANALYSIS

Exploitation of this vulnerability will result in the execution of
arbitrary code with the privileges of the user running the RSS gadget.
In order to exploit this, an attacker can inject JavaScript that will
download and execute a malicious binary.

The RSS gadget runs by default, but does not display any feeds unless a
user subscribes to them. As such, a user must be receiving data from a
malicious feed in order to be attacked.

In the most common scenario, this requires some form of social
engineering to convince a user to subscribe to a malicious feed. There
is no way to add a feed by simply clicking a link. The user must click
the 'Subscribe to this feed' button displayed when visiting a feed in
Internet Explorer. After adding the feed, exploitation will occur once
the gadget attempts to display the feed.

Another attack vector that requires significantly less social
engineering requires an attacker control a trusted feed. If an attacker
can find some way to inject data into a trusted feed then they will be
able to exploit any subscribers to the feed.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Microsoft
Windows Vista Business. Other versions are suspected to be vulnerable.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

Microsoft has addressed this vulnerability within MS07-048. For more
information, consult their bulletin at the following URL.

http://www.microsoft.com/technet/security/Bulletin/MS07-048.mspx

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-3033 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

03/21/2007 Initial vendor notification
03/21/2007 Initial vendor response
08/14/2007 Coordinated public disclosure

IX. CREDIT

This vulnerability was reported to iDefense by Aviv Raff.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@... for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

Really, really, penultimate, PacSec CFP deadline, Aug 10.

2007-07-31T15:39:18Z

Some folks have been trying to convince us to extend deadlines,
so being the sticklers we are, we said: no way... But they convinced
us. So to be fair - this is a heads up for others who didn't have time
to submit. :-) We'll try to turn around the selection reviews ASAP,
before the end of August for those who submitted.

cheers,
--dr

P.s. The gentleman from McAfee who phoned me about his
submission whose name I've forgotten, we didn't get your
mail, please get back in touch.
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan November 29/30 - 2007 http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp

PacSec 2007 Call For Papers (Nov. 29/30, deadline July 27)

2007-07-03T21:39:12Z

PacSec CALL FOR PAPERS

World Security Pros To Converge on Japan

TOKYO, Japan -- To address the increasing importance of
information security in Japan, the best known figures in the
international security industry will get together with leading
Japanese researchers to share best practices and technology.
The most significant new discoveries about computer network
hack attacks will be presented at the fifth annual PacSec
conference to be discussed.

The PacSec meeting provides an opportunity for foreign
specialists to be exposed to Japanese innovation and markets
and collaborate on practical solutions to computer security
issues. In a relaxed setting with a mixture of material
bilingually translated in both English and Japanese the eminent
technologists can socialize and attend training sessions.

Announcing the opportunity to submit papers for the PacSec 2007
network security training conference. The conference will be
held November 29-30th in Tokyo. The conference focuses on
emerging information security tutorials - it will be a bridge
between the international and Japanese information security
technology communities..

Please make your paper proposal submissions before July 27th,
2007. Slides for the papers must be submitted by October 1st
2007. The conference is November 29th and 30th 2007, presenters
need to be available in the days before to meet with
interpreters.

A some invited papers have been confirmed, but a limited number
of speaking slots are still available. The conference is
responsible for travel and accomodations for the speakers. If
you have a proposal for a tutorial session then please email a
synopsis of the material and your biography, papers and,
speaking background to secwest07 [at] pacsec.jp . Tutorials are
one hour in length, but with simultaneous translation should be
approximately 45 minutes in English, or Japanese. Only slides
will be needed for the October paper deadline, full text does
not have to be submitted.

The PacSec conference consists of tutorials on technical
details about current issues, innovative techniques and best
practices in the information security realm. The audiences are
a multi-national mix of professionals involved on a daily basis
with security work: security product vendors, programmers,
security officers, and network administrators. We give
preference to technical details and education for a technical
audience.

The conference itself is a single track series of presentations
in a lecture theater environment. The presentations offer
speakers the opportunity to showcase on-going research and
collaborate with peers while educating and highlighting
advancements in security products and techniques. The focus is
on innovation, tutorials, and education instead of product
pitches. Some commercial content is tolerated, but it needs to
be backed up by a technical presenter - either giving a
valuable tutorial and best practices instruction or detailing
significant new technology in the products.

Paper proposals should consist of the following information:

1) Presenter, and geographical location (country of
origin/passport) and contact info (e-mail, postal address,
phone, fax).

2) Employer and/or affiliations.

3) Brief biography, list of publications and papers.

4) Any significant presentation and educational
experience/background.

5) Topic synopsis, Proposed paper title, and a one paragraph
description.

6) Reason why this material is innovative or significant or an
important tutorial.

7) Where else has this material been presented or submitted?

8) Optionally, any samples of prepared material or outlines
ready.

Please forward the above information to secwest07 [at]
pacsec.jp to be considered for placement on the speaker roster.

cheers,
--dr

P.s. Some other dates of interest are announced:

CanSecWest 2008 March 19-21 see http://cansecwest.com
EUSecWest 2008 May 21/22 see http://eusecwest

P.P.S.

Also as a friendly reminder, CCC Camp is Aug 8 -12 2008, see
http://events.ccc.de/camp/2007/Intro (Hi Julia et al...)

Happy Independence Day and Canada Day,

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan November 29/30 - 2007 http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp

iDefense Security Advisory 04.03.07: Multiple Vendor Kerberos kadmind Buffer Overflow Vulnerability

2007-04-03T13:21:48Z

Multiple Vendor Kerberos kadmind Buffer Overflow Vulnerability

iDefense Security Advisory 04.03.07
http://labs.idefense.com/intelligence/vulnerabilities/
Apr 03, 2007

I. BACKGROUND

Kerberos is a network authentication protocol. It is used in
client-server systems to provide user authentication by using a ticket
based system. kadmind is the Kerberos administration server. It is used
to configure principals and policies on the Kerberos. More information
can be found on the vendor's website at the following URL.

http://web.mit.edu/Kerberos/

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in the Kerberos
kadmind server, as included in various vendors' operating system
distributions, could allow attackers to execute arbitrary code on a
targeted host.

The vulnerability exists within the server's logging function,
klog_vsyslog(). A call is made to vsprintf(), with the destination
buffer passed as a fixed size stack buffer. User input is not properly
validated before being passed to this function, and a stack based
buffer overflow can occur.

III. ANALYSIS

Exploitation allows an attacker to execute arbitrary code with root
privileges on the targeted host.

In order to exploit this vulnerability, an attacker must have valid
credentials stored on the server. Administrator privileges are not
necessary. The kadmind server runs on the master Kerberos server. Since
the master server holds the KDC principal and policy database, a
compromise could lead to a compromise of multiple hosts that use the
server for authentication.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability with Kerberos
version 1.5.1 on Fedora CORE 5. It is likely that all distributions that
contain this version of Kerberos are vulnerable.

V. WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VI. VENDOR RESPONSE

The MIT Kerberos team has made patches available to address this
vulnerability. For more information consult their advisory at the
following URL.

http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-002-syslog.txt

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-0957 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

02/08/2007 Initial vendor notification
02/08/2007 Initial vendor response
04/03/2007 Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@... for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.

Conflict of Interest - My summary

2007-03-17T12:33:30Z

One point of view that was raised whereby it could possibly be determined
that an OS vendor providing security applications to protect it's OS was a
conflict of interest is as follows:

"IMHO I think the fear has always been that as long as an OS was closed
source, that company owning that OS could write or have inside knowledge of
vulnerability information that would benefit or promote that security
product more than another company. This could almost be classified like
insider trading."

Whilst this statement is somewhat true, many of the security vendors offer
up many other enterprise solutions to their customers that are not all about
protecting the end user from an 'attack'.

Whilst the install base may not be as big as that of an OS Vendor, many of
these enterprise solutions can be critical to the daily operation of a
business. So any vulnerabilities found in these products, these security
vendors can mitigate the risk at day zero by applying IPS / IDS signatures
to their existing product range in the absence of a patch.

Are they likely to share this zero day information with their competition, I
think not.

Also, is it really such a bad thing that an OS vendor who offers up Security
Applications can immediately protect its customer base at almost day zero
when a vulnerability has been reported to secure@... by adding the
protection capability within its Secuirity Apps. At this point the vendor
knows their customers in the interim are protected, whilst they get down to
examining the area of code for the flaw, determine if there are any more
vulnerabilities and then produce a patch.

Another good example is Oracle, they have their Database Vault, which is
'designed' to add an additional layer of security to protect their database
and their customer. This is clearly a responsible approach, but I do not
hear any complaints or shouts of a conflict of interest by those that
produce 'Database IDS / IPS' solutions.

There will always be the argument that an OS vendor should not charge for
the OS and then charge for the additional security protection, but for some
vendors, they may have no other alternative as it may pave the way for a
lawyers banquet which they would most likely lose in the end. (I am no
laywer, but one could easily forsee, every security vendor filing Anti-Trust
law suits, they would have to, they need to protect their business and their
shareholders)

There will also, always be the arguement from security vendors that (and
lets be honest about it, they are only talking about Microsoft here), that
MS should share zero day vulnerabilities with them so that they can offer
the same level of protection within their security solutions. This is
unlikely to ever happen (would they share their zero days with MS ?) Of all
the applications out there, do they get zero day information from any other
vendor such as Sun, IBM, HP, Apple etc, again I think not.

My original email, was to get a wider well informed view of opinions on the
subject to determine if my belief was right / wrong.

So I guess my opinion in conclusion still stands, that ANY software vendor
who looks to add additional layers of security (free or not), it (IMHO) is
not a conflict of interest and serves the end user well. By what ever means
necessary, it should be the responsibility of the vendor to include / offer
increased 'peace of mind'.

Thanks to all those that contributed

All the best

Mark

Your Opinion +

2007-03-16T16:10:59Z

A common comment being made is that a Vendor who creates and sells and OS,
and then sells security applications to protect their OS is a conflict of
interest.

Consider the Anti-Trust law suits filed against MS by AOL regarding IE and
RealNetworks regarding Windows Media Player back in 2003, lets say for
discussion, MS now turn around and offer up their 'Security Applications'
for free. You know exactly what is going to happen.

(I believe the main issue with AOL and Real Networks was that IE and WMP
were bundled within the OS.)

I guess my point is, whilst I appreciate the common comment, what other
options are available to an OS vendor. Offer it up as a free download (not
bundled within the OS) allowing the end user to make the decision, or to
carry on charging for it ?

Another common theme has been, that the OS should be secure in the first
place. Again I agree with this, but as someone indicated developers
schedules are being dictated by their marketing departments with shipment
dates, so regardless of their intentions to code securely a vulnerability is
likely slip through.

With regard to third party security solutions outside of the OS vendor, in
reality how many new security issues does their software introduce to a
fully patched OS.

Cheers

Mark

Re: Your Opinion

2007-03-16T14:25:32Z

Ummm, hhheeelllooo. Given the MS security history, Genuine
Advantage (phone home), etc, would you really trust their
decisions and software? I, for one, will be running Wireshark
on any new MS implementations (when I get them). I do think
it's applaudable that they are trying to increase security,
but they have a long way to go yet (and trust is something
that needs to be demonstrated, not dictated).
-George
PS - At least we're not talking about Oracle ;-)

On Fri, 16 Mar 2007, Mark Litchfield wrote:

| I have heard the comment "It's a huge conflict of interest" for one company
| to provide both an operating platform and a security platform" made by John
| Thompson (CEO Symantec) many times from many different people. See article
| below.
|
| http://www2.csoonline.com/blog_view.html?CID=32554
|
| In my personal opinion, regardless of the vendor, if they create an OS, why
| would it be a conflict of interest for them to want to protect their own OS
| from attack. One would assume that this is a responsible approach by the
| vendor, but one could also argue that their OS should be coded securely in
| the first place. If this were to happen then the need for the Symantec's,
| McAfee's of the world would some what diminsh.
|
| Anyway I am just curious as to what other people think.
|
| Thanks in advance
|
| Mark
|
|
| --
| This message has been scanned for viruses and
| dangerous content by MailScanner, and is
| believed to be clean.
|
|

---------------------------------------------------------------------------
George Yobst, Library Technology Analyst phone: 503.723.4890
Library Information Network of Clackamas County fax: 503.794.8238
16239 SE McLoughlin Blvd, Suite 208 web: http://www.lincc.lib.or.us
Oak Grove, OR 97267-4654 email: george@...
"...it is impossible for anyone to begin to learn
what he thinks he already knows." - Epictetus

RE: Your Opinion

2007-03-16T14:15:32Z

Wouldn't it be wonderful if we could have this discussion without mentioning
the M-word?

It seems to me that the OS vendor's ethical obligation is to produce the
most secure platform they reasonably can and to fix any and all problems in
it for free. Beyond that, lots of security problems exploit weaknesses in
things other than the OS (like, say, the users) and there will always be a
place (market?) for protection against those things regardless of how secure
the OS platform is.

Further, I'd bet that most of us are fans of defense in depth. Even if an
OS was as secure as it could be and patches were free and ubiquitous,
wouldn't it be prudent to layer something on top of that? If the OS vendor
is acting ethically, following the obligations mentioned above, what
difference could it make who produces the layered security product?

The so-called conflict of interest arises from the perception, rightly or
wrongly, that the OS vendor might be tempted to act in a less than ethical
manner. If we presume ethics always and punish severely ethical lapses
(which we should do regardless), it doesn't matter who produces the security
platform.

It would be most interesting to have a poll on this subject, both of the
security community and the public at large.

Scott

-----Original Message-----
From: Mark Litchfield [mailto:Mark@...]
Sent: Friday, March 16, 2007 2:49 PM
To: bugtraq@...; vulnwatch@...;
full-disclosure@...
Subject: Your Opinion

I have heard the comment "It's a huge conflict of interest" for one company
to provide both an operating platform and a security platform" made by John
Thompson (CEO Symantec) many times from many different people. See article
below.

http://www2.csoonline.com/blog_view.html?CID=32554

In my personal opinion, regardless of the vendor, if they create an OS, why
would it be a conflict of interest for them to want to protect their own OS
from attack. One would assume that this is a responsible approach by the
vendor, but one could also argue that their OS should be coded securely in
the first place. If this were to happen then the need for the Symantec's,
McAfee's of the world would some what diminsh.

Anyway I am just curious as to what other people think.

Thanks in advance

Mark

Your Opinion

2007-03-16T12:48:30Z

I have heard the comment "It's a huge conflict of interest" for one company
to provide both an operating platform and a security platform" made by John
Thompson (CEO Symantec) many times from many different people. See article
below.

http://www2.csoonline.com/blog_view.html?CID=32554

In my personal opinion, regardless of the vendor, if they create an OS, why
would it be a conflict of interest for them to want to protect their own OS
from attack. One would assume that this is a responsible approach by the
vendor, but one could also argue that their OS should be coded securely in
the first place. If this were to happen then the need for the Symantec's,
McAfee's of the world would some what diminsh.

Anyway I am just curious as to what other people think.

Thanks in advance

Mark

Windows Multimedia mmioRead Denial of Service Vulnerability

2007-03-11T05:34:03Z

It is possible to create specialy malformed audio file that will cause DoS
in application,
that uses winmm.dll library to access media files. According to MSDN:

The mmioRead function reads a specified number of bytes from a file opened
by using the mmioOpen function. LONG mmioRead(
HMMIO hmmio,
HPSTR pch,
LONG cch
);

Parameters

hmmio

File handle of the file to be read.

pch

Pointer to a buffer to contain the data read from the file.

cch

Number of bytes to read from the file.

Return Values

Returns the number of bytes actually read. If the end of the file has been
reached and no more bytes can be read, the return value is 0. If there is an
error reading from the file, the return value is - 1.

As we can see when we pass to big in cch parameter the function should
return -1. This is not what happens. When pussing very large value for
instance 0xFFFFFFFF the function mmioRead enters endless loop. A Proof of
Concept WAVE file has been created and it's available at:
http://sectroyer.110mb.com/mmio_die.wav. When this file is opened by
application SndRec32 it will cause 100% CPU consumption.
Michael Majchrowicz.

ANNOUNCE: Security OPUS San Francisco, CA - March 19-21, 2007

2007-03-07T17:32:29Z

From Richard over at Security OPUS

-Steve

---------------------------------------

Security OPUS Speaker Selection Finalized

http://SecurityOPUS.com March 19th-21st, 2007 in San Francisco, Ca

Please look for the final speakers list to appear by Monday March 5th.
Thank you all for submitting papers.

Security OPUS is a single-track conference geared toward security
professionals and administrators responsible for enterprise security. The
talks are longer for a more indepth discussion and to allow more time for
demonstrations. The environment is set up to give the attendee more
networking and enrichment time.

Registration is still open.

Thanks again,

Richard Lindberg
Organizer
http://SecurityOPUS.com

Re: Preliminary CFP:The 2nd International Conference on Availability, Reliability and Security (ARES 07), Vienna, Austria, April 10-13, 2007

2007-02-05T02:16:32Z

Dear Sir
The Mercury Life Guard, we have registered three of our delegates for the coming Conference, below are their names

Mr: ADEGBUYI AYANNUGA
Mr: USMAN IDRIS JATTO
Mr JATTO ALIU OMOLAJA

we have make all the necessary traveling arrangement, kindly issue letter of invitation for the delegates. we want the letter to be writing in Austria language and English language and attach the copies before you mail out original to our address.

Looking forward to hearing from you very soon

Best regards
Mr Aliu
Mercury Life Guard
26 Obalende Road
Ikoyi Lagos
3401 Nigeria
phone:+2348080501924
fax: +234012646802
Email:mercurylifeguard@gmail.com

Manh Tho wrote:

Apologies for multiple copies due to cross postings. Please send to
interested colleagues and students.

Preliminary Call for Papers
---------------------------------------------------------------------
The Second International Conference on Availability, Reliability
and Security (AReS)
ARES 2007 - "The International Security and Dependability
Conference"
---------------------------------------------------------------------
April 10th – April 13th, 2007
Vienna University of Technology, Austria
http://www.ares-conf.org
http://www.ares-conference.eu

Conference
-----------
The 1st International Conference on Availability, Reliability and
Security conference (ARES 2006) has been succesfully organized in
Vienna, AUSTRIA from April 20 to April 22, 2006 by the Technical
University of Vienna in cooperation with the European Network and
Security Agency (ENISA). We have attracted 250 participants for this
conference with its 3 keynotes speakers and its 9 workshops held
in conjunction with.

In continuation of the successful 1st ARES conference, The Second
International Conference on Availability, Reliability and Security
("ARES 2007 – The International Security and Dependability
Conference") will bring together researchers and practitioners in the
area of IT-Security and Dependability.

ARES 2007 will highlight the various aspects of security – with
special focus on secure internet solutions, trusted computing, digital
forensics, privacy and organizational security issues.

ARES 2007 aims at a full and detailed discussion of the research
issues of security as an integrative concept that covers amongst
others availability, safety, confidentiality, integrity,
maintainability and security in the different fields of applications.

Important Dates
----------------
* Workshop Proposal: September, 10th 2006
* Submission Deadline: November, 19th 2006
* Author Notification: January, 7th 2007
* Author Registration: January, 21st 2007
* Proceedings Version: January, 21st 2007

Workshop Proposal
-----------------
In conjunction with the AReS2007 conference, a number of workshops
will be organised. Workshop proposals which should include the call
for papers, the number of papers to be accepted, the contact person,
etc. are to be sent to the Workshop Organizing Committee
(tho@ifs.tuwien.ac.at), by September 10th 2006. Proceedings of the
ARES 2007 workshops will be published by IEEE Computer Society Press.

Topics of interest include, but are not limited to:
----------------------------------------------------
* Process based Security Models and Methods
* Authorization and Authentication
* Availability and Reliability
* Common Criteria Protocol
* Cost/Benefit Analysis
* Cryptographic protocols
* Dependability Aspects for Special Applications (e.g. ERP-Systems, Logistics)
* Dependability Aspects of Electronic Government (e-Government)
* Dependability administration
* Dependability in Open Source Software
* Designing Business Models with security requirements
* Digital Forensics
* E-Commerce Dependability
* Failure Prevention
* IPR of Security Technology
* Incident Response and Prevention
* Information Flow Control
* Internet Dependability
* Interoperability aspects
* Intrusion Detection and Fraud Detection
* Legal issues
* Mobile Security
* Network Security
* Privacy-enhancing technologies
* RFID Security and Privacy
* Risk planning, analysis & awareness
* Safety Critical Systems
* Secure Enterprise Architectures
* Security Issues for Ubiquitous Systems
* Security and Privacy in E-Health
* Security and Trust Management in P2P and Grid applications
* Security and privacy issues for sensor networks, wireless/mobile
devices and applications
* Security as Quality of Service
* Security in Distributed Systems / Distributed Databases
* Security in Electronic Payments
* Security in Electronic Voting
* Software Engineering of Dependable Systems
* Software Security
* Standards, Guidelines and Certification
* Survivability of Computing Systems
* Temporal Aspects of Dependability
* Trusted Computing
* Tools for Dependable System Design and Evaluation
* Trust Models and Trust Management
* VOIP/Wireless Security

Submission Guidelines
----------------------
Authors are invited to submit research and application papers
following the IEEE Computer Society Proceedings
Manuscripts style: two columns, single-spaced, including figures and
references, using 10 fonts, and number
each page. You can confirm the IEEE Computer Society Proceedings
Author Guidelines at the following web page:
URL: http://computer.org/cspress/instruct.htm

The Web site for paper registration and electronic submission will be
accessible from the first week of October 2006. Please refer to ARES
website (http://www.ares-conf.org or http://www.ares-conference.eu)
for update information.

Honorary Co-Chairs
-------------------
Norman Revell, Middlesex University, United Kingdom
Roland Wagner, University of Linz, Austria

General Co-Chairs
------------------
Guenther Pernul, University of Regensburg, Germany
Makoto Takizawa, Tokyo Denki University, Japan

Program Co-Chairs
------------------
Gerald Quirchmayr, University of Southern Australia, Australia
A Min Tjoa, Vienna University of Technology, Austria

Workshops Co-Chairs
--------------------
Nguyen Manh Tho, Vienna University of Technology, Austria
Abdelkader Hameurlain, University of Toulouse, France
Leonard Barolli, Fukuoka Institute of Technology (FIT), Japan

International Liaison Co-Chairs
--------------------------------
Maria Wimmer, University of Koblenz-Landau, Germany
Charles Shoniregun, University of East London, United Kingdom

Publicity Chair
----------------
Vladimir Marik, Czech Technical University, Czech Republic

Publication Chair
------------------
Monika Lanzenberger, Norwegian University of Science and Technology,
Trondheim, Norway

Local Organizing Chairs
------------------------
Maria Schweikert, Vienna University of Technology, Austria
Markus Klemen, Vienna University of Technology, Austria

Programme Committee
--------------------
TBD

EUSecWest 2007 Papers

2007-01-18T15:59:49Z

Hi,

For those who asked, we are still processing the submissions for CanSecWest
and the call closed, please stand by. The paper selections are back from the
reviewers for EUSecWest, in London on March 1-2.

In absolutely random order:

Threats against and protection of Microsoft's internal network - Greg Galford,
Microsoft
Linux Kernel == Security Nightmare - Marcel Holtmann, Red Hat
/GS and ASLR in Windows Vista - Ollie Whitehouse, Symantec
Fuzzing: history, perspectives and limits - Christian Wieser, Oulu university
The new OWASP Web Application Penetration Testing Methodology - Matteo Meucci
& Alberto Revelli, OWASP-Italy
Reverse Engineering Malicious Javascript - Jose Nazario, Ph.D., Arbor
Bypassing NAC Systems - Ofir Arkin, Insightix
RFID - Adam Laurie, trifinite
Protecting Next-Gen Networks @ Nx10G link sizes - Jim Deleskie, Teleglobe
Video Conferencing Security - Navid Jam, Sandia National Laboratories
Software Virtualization Based Rootkits - Sun Bing
VoIP Attacks! - Dustin D. Trammell, TippingPoint
Windows Vista Exploitation Countermeasures - Richard Johnston, Microsoft
OSX Security - Daniel Cuthbert, Corsaire
Distributed drone-based malware propagation and deployment automation -
Emmanuel H

We have added a new RFID dojo in London with Adam, and Nico
has a new VoIP Security dojo amongst the new dojos to be announced
for CanSecWest along with the paper selections. Dojos for London
have final schedules now.

cheers,
--dr

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
London, U.K. Mar 1-2 - 2007 http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp

Re: [VulnWatch] High Risk Vulnerability in the OpenOffice and StarOffice Suites

2007-01-04T12:55:08Z

* NGSSoftware Insight Security Research:

> The vulnerabilities, three heap overflows, affect OpenOffice 2.1.0 and

> http://download.openoffice.org/2.1.0/index.html

As far as I can tell, there is no version newer than 2.1.0 available
at the web site. According to uncorroborated, version 2.1.0 is not
affected.

Would anyone please clarify the situation? Thanks.

Online Gambling-Online Black Jack-Black Jack Casino-Online Slots-Slots Online

2007-01-02T08:25:07Z

cfp-2 wrote:

Hi, RUXCON is quickly approaching yet again. This e-mail is to bring you up to date on the latest developments on this years conference. Our speakers list is complete [1] and our timetable has been finalised [2]. Below is a list of presentations for RUXCON 2005 (in order of acceptance): 1. Breaking Mac OSX - Ilja Van Sprundel & Neil Archibald 2. Binary protection schemes - Andrew Griffiths 3. Using OWASP Guide 2.0 for Deep Penetration Testing - Andrew van der Stock 4. Black Box Web Application Penetration Testing - David Jorm 5. Long Filename, Long Parameter, Malformed Data. Another Day, Another Vulnerability. Same Bug, Different App. - Brett Moore 6. Computer Forensics: Practise and Procedure - Adam Daniel 7. Poker Paranoia - Sean Burford 8. Moving towards the Artificial Hacker - Ashley Fox 9. Attack automation - Roelof Temmingh 10. Electronic Evidence - a Law Enforcement Perspective - Jason Beckett 11. Beyond NX: An attackers guide to anti-exploitation technology for Windows - Ben Nagy 12. Crypto Rodeo - Amy Beth Corman 13. Trust Transience: Post Intrusion SSH Hijacking - Metlstorm 14. Attacking WiFi with traffic injection - Cedric "Sid" Blanche 15. Securing Modern Web Applications - Nik Cubrilovic 16. Malware Analysis - Nicolas Brulez 17. Deaf, Dumb and Mute: Defeating Network Intrusion Detection Systems (NIDS) - Christian Heinrich As in previous years, there will be activities and competitions, which allow attendees to have fun, win prizes, and socialise, all while enjoying a cold beer on an Australian summers day. Some activities which will be held during the conference include: * Capture the flag * Reverse engineering * Exploit development * Chilli eatoff * Trivia This will be the third year in a row in which we've brought a quality conference to the Australian computer security community. Hope to see you there. Regards, RUXCON Staff http://www.ruxcon.org.au [1] http://www.ruxcon.org.au/2005-presentations.shtml [2] http://www.ruxcon.org.au/2005-timetable.shtml

Online Black Jack

Where to buy viagra
Buy cheap acomplia
Buy cheap generic acomplia
Generic Pharmacy Online
Buy viagra where
Buy cheap viagra where
Buy cheap viagra where
Buy cheap acomplia
cheap generic acomplia
Order cheap acomplia
Order cheap Albenza

CanSecWest 2007 (April 18-20) Call For Papers (Deadline Jan 7th)

2006-12-13T15:57:55Z

CanSecWest 2007 CALL FOR PAPERS

VANCOUVER, Canada -- The eighth annual CanSecWest applied technical security
conference - where the eminent figures in the international security industry
will get together share best practices and technology - will be held in
downtown Vancouver at the the Mariott Renaissance Harbourside on April 18-20,
2007. The most significant new discoveries about computer network hack
attacks and defenses, commercial security solutions, and pragmatic real world
security experience will be presented in a series of informative tutorials.

The CanSecWest 2007 meeting provides international researchers a relaxed,
comfortable environment to learn from informative tutorials on key
developments in security technology, and collaborate and socialize with their
peers in one of the world's most scenic cities - a short drive away from one
of North America's top skiing areas.

The CanSecWest 2007 conference will also feature the availability of the
Security Masters Dojo expert network security sensei instructors, and their
advanced, and intermediate, hands-on training courses - featuring small class
sizes and practical application excercises to maximize information transfer.

We would like to announce the opportunity to submit papers, and/or lightning
talk proposals, for selection by the CanSecWest technical review committee.
Please make your paper proposal submissions before January 7th, 2007. Slides
for the papers must be submitted by March 15th, 2007.

Some invited papers have been confirmed, but a limited number of speaking
slots are still available. The conference is responsible for travel and
accomodations for the speakers. If you have a proposal for a tutorial session
then please email a synopsis of the material and your biography, papers and,
speaking background to secwes07@.... Only slides will be needed
for the March paper deadline, full text does not have to be submitted - but
will be accepted if available.

The CanSecWest 2007 conference consists of tutorials on technical details
about current issues, innovative techniques and best practices in the
information security realm. The audiences are a multi-national mix of
professionals involved on a daily basis with security work: security product
vendors, programmers, security officers, and network administrators. We give
preference to technical details and new education for a technical audience.

The conference itself is a single track series of presentations in a lecture
theater environment. The presentations offer speakers the opportunity to
showcase on-going research and collaborate with peers while educating and
highlighting advancements in security products and techniques. The focus is
on innovation, tutorials, and education instead of product pitches. Some
commercial content is tolerated, but it needs to be backed up by a technical
presenter - either giving a valuable tutorial and best practices instruction
or detailing significant new technology in the products.

Paper proposals should consist of the following information:

1) Presenter, and geographical location (country of origin/passport) and
contact info (e-mail, postal address, phone, fax).
2) Employer and/or affiliations.
3) Brief biography, list of publications and papers.
4) Any significant presentation and educational experience/background.
5) Topic synopsis, Proposed paper title, and a one paragraph description.
6) Reason why this material is innovative or significant or an important
tutorial.
7) Optionally, any samples of prepared material or outlines ready.
8) Will you have full text available or only slides?
9) Please list any other publications or conferences where this material has
been or will be published/submitted.

Please include the plain text version of this information in your email as
well as any file, pdf, sxw, ppt, or html attachments. (Some reviewers only
look at .txt info.) Multiple submissions are acceptable.

Please forward the above information to be considered for placement on the
speaker roster, or have your short lightning talk scheduled. Send all
conference related correspondence to secwes07@....

thanks,
--dr

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
London, U.K. Feb 28 / Mar 1 - 2007 http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp

Call for papers: ARES 2007 submission deadline approaches in 2 weeks: 19-11-2006

2006-11-07T12:15:25Z

Apologies for multiple copies due to cross postings. Please send to
interested colleagues and students.

Call for Papers
+-------------------------------------------------------------------+
The Second International Conference on Availability, Reliability and
Security (AReS)
ARES 2007 - "The International Security and Dependability Conference"

April 10th – April 13th, 2007
Vienna University of Technology, Austria
http://www.ares-conf.org
http://www.ares-conference.eu
+-------------------------------------------------------------------+

Conference
-----------
The 1st International Conference on Availability, Reliability and
Security conference (ARES 2006) has been succesfully organized in
Vienna, AUSTRIA from April 20 to April 22, 2006 by the Technical
University of Vienna in cooperation with the European Network and
Security Agency (ENISA). We have attracted 250 participants for this
conference with its 3 keynotes speakers and its 9 workshops held in
conjunction with.

In continuation of the successful 1st ARES conference, The Second
International Conference on Availability, Reliability and Security
("ARES 2007 – The International Security and Dependability
Conference") will bring together researchers and practitioners in the
area of IT-Security and Dependability.

ARES 2007 will highlight the various aspects of security – with
special focus on secure internet solutions, trusted computing,
digital forensics, privacy and organizational security issues.

ARES 2007 aims at a full and detailed discussion of the research
issues of security as an integrative concept that covers amongst
others availability, safety, confidentiality, integrity,
maintainability and security in the different fields of applications.

Important Dates
----------------
* Submission Deadline: November, 19th 2006
* Author Notification: January, 7th 2007
* Author Registration: January, 21st 2007
* Proceedings Version: January, 21st 2007

Workshops
-----------
In conjunction with the ARES 2007 conference, a number of workshops
will be organized. We are very indebted for the effort of workshop's
organizers and workshop's PC members. Proceedings of the ARES 2007
workshops will be published by IEEE Computer Society Press.

* Workshop 1: Second International Workshop "Dependability Aspects
on Data WArehousing and Mining applications" (DAWAM 2007),
Jimmy Huang, York University, Canada + Josef Schiefer, Senactive
IT-Dienstleistungs GmbH, Austria + Nguyen Manh Tho, Vienna University
of Technology, Austria .DAWAM 2007

http://dawam.ares-conference.eu/

Submission Deadline: December, 17th 2006

* Workshop 2: Second Workshop on "Dependability and Security in
e-Government" (DeSeGov 2007), A Min Tjoa, Vienna University of
Technology, Austria + Erich Schweighofer, University of Vienna,
Austria + Nguyen Manh Tho, Vienna University of Technology, Austria
DeSeGov 2007

http://desegov.ares-conference.eu/

Submission Deadline: December, 15th 2006

* Workshop 3: Workshop on Foundations of Fault-tolerant Distributed
Computing (FOFDC 2007), Wilhelm Hasselbring, University of Oldenburg,
Germany + Matthias Rohr, University of Oldenburg, Germany + Christian
Storm, University of Oldenburg, Germany + Oliver Theel, University of
Oldenburg, Germany + Timo Warns, University of Oldenburg, Germany.
FOFDC 2007

http://trustsoft.uni-oldenburg.de/fofdc07/

Submission Deadline: December, 1st 2006

* Workshop 4: "Secure Software Engineering" (SecSE 2007), Torbjørn
Skramstad, Norwegian University of Science and technology (NTNU) +
Lillian Røstad, Norwegian University of Science and technology (NTNU)
+ Martin Gilje Jaatun, SINTEF ICT, Norway. SecSE 2007

http://secse.ares-conference.eu/

Submission Deadline: December, 17th 2006

* Workshop 5: Workshop on "Event-Based IT Systems", Modeling,
Designing, and Testing Correct, Secure, and Dependable Event-Based
System, Stefan Biffl, Vienna University of Technology + Eva Kühn,
Vienna University of Technology + Alexander Schatten, Vienna
Univeristy of Techology EBITS

http://ebits.ares-conference.eu/

Submission Deadline: November, 19th 2006

* Workshop 6: "Distributed Healthcare Availability, Reliability and
Security" (DIHARES 2007), Thomas Clark, Complete Cardiology Services
Ltd, USA. DIHARES 2007

http://dihares.ares-conference.eu/

Submission Deadline: November, 17th, 2006

* Workshop 7: "First International Workshop on Advances in Information
Security" (WAIS 2007), Leonard Barolli, Fukuoka Institute
of Technology, Japan + Arjan Durresi, Louisiana State University, USA
+ Hiroaki Kikuchi, Tokai university, Japan.WAIS 2007

http://www.csc.lsu.edu/~durresi/wais2007/index.html

Submission Deadline: December 1st, 2006

* Workshop 8: Second International Workshop on Bioinformatics and
Security (BIOS 2007), Hochreiter Sepp, University of Linz, Bioinf,
Austria + Küng Josef, University of Linz, FAW Austria + Wagner
Roland, University of Linz, FAW Austria. BIOS 2007

http://bios.ares-conference.eu/

Submission Deadline: November 20, 2006

* Workshop 9: Second International Workshop on Security and E-
Learning, Edgar Weippl, Secure Business Austria. SEL 2007

http://sel.ares-conference.eu/

Submission Deadline: November 19, 2006

* Workshop 10: Second Workshop on Information Security Risk
Management (ISRM), Professor Dr. D. Karagiannis, University of
Vienna, Austria + Dr. L. Marinos, ENISA, Greece . ISRM

http://www.ares-conference.eu/ares2006/www.ares-conf.org/index47da.html?q=isrm

* Workshop 11: The First International Workshop on Spoofing, Digital
Forensics and Open Source Tools (SDFOST), Judie Mulholland,
Florida Cybersecurity Institute, USA. SDFOST

http://www.ares-conference.eu/conf/index.php?option=com_content&task=view&id=33&Itemid=41

Submission Deadline: November 20, 2006

Topics of interest include, but are not limited to:
----------------------------------------------------
* Process based Security Models and Methods
* Autonomous Computing
* Authorization and Authentication
* Availability and Reliability
* Common Criteria Protocol
* Cost/Benefit Analysis
* Cryptographic protocols
* Dependability Aspects for Special Applications (e.g. ERP-Systems,
Logistics)
* Dependability Aspects of Electronic Government (e-Government)
* Dependability administration
* Dependability in Open Source Software
* Designing Business Models with security requirements
* Digital Forensics
* E-Commerce Dependability
* Failure Prevention
* IPR of Security Technology
* Incident Response and Prevention
* Information Flow Control
* Internet Dependability
* Interoperability aspects
* Intrusion Detection and Fraud Detection
* Legal issues
* Mobile Security
* Network Security
* Privacy-enhancing technologies
* RFID Security and Privacy
* Risk planning, analysis & awareness
* Safety Critical Systems
* Secure Enterprise Architectures
* Security Issues for Ubiquitous Systems
* Security and Privacy in E-Health
* Security and Trust Management in P2P and Grid applications
* Security and privacy issues for sensor networks, wireless/mobile
devices and applications
* Security as Quality of Service
* Security in Distributed Systems / Distributed Databases
* Security in Electronic Payments
* Security in Electronic Voting
* Software Engineering of Dependable Systems
* Software Security
* Standards, Guidelines and Certification
* Survivability of Computing Systems
* Temporal Aspects of Dependability
* Trusted Computing
* Tools for Dependable System Design and Evaluation
* Trust Models and Trust Management
* VOIP/Wireless Security

Submission Guidelines
----------------------
Authors are invited to submit research and application papers following
the IEEE Computer Society Proceedings Manuscripts style: two columns,
single-spaced, including figures and references, using 10 fonts, and
number each page. You can confirm the IEEE Computer Society Proceedings
Author Guidelines at the following web page:
http://www.ieee.org/portal/pages/pubs/transactions/stylesheets.html

Submission papers are classified into 3 categorizes (1) full paper
(8 pages), (2) short paper (5 pages), and (3) poster (2 pages)
representing original, previously unpublished work. Submitted papers
will be carefully evaluated based on originality, significance,
technical soundness, and clarity of exposition

The Web site for paper registration and electronic submission is available at:
http://www.ares-conf.org/confdriver/?q=confdriver/papers/add

Please refer to ARES website (http://www.ares-conf.org or
http://www.ares-conference.eu) for update information.

Honorary Co-Chairs
-------------------
Norman Revell, Middlesex University, United Kingdom
Roland Wagner, University of Linz, Austria

General Co-Chairs
------------------
Guenther Pernul, University of Regensburg, Germany
Makoto Takizawa, Tokyo Denki University, Japan

Program Co-Chairs
------------------
Gerald Quirchmayr, University of Southern Australia, Australia
A Min Tjoa, Vienna University of Technology, Austria

Workshops Co-Chairs
--------------------
Nguyen Manh Tho, Vienna University of Technology, Austria
Abdelkader Hameurlain, University of Toulouse, France
Leonard Barolli, Fukuoka Institute of Technology (FIT), Japan

International Liaison Co-Chairs
--------------------------------
Maria Wimmer, University of Koblenz-Landau, Germany
Charles Shoniregun, University of East London, United Kingdom

Publicity Chair
----------------
Vladimir Marik, Czech Technical University, Czech Republic

Publication Chair
------------------
Monika Lanzenberger, Norwegian University of Science and Technology,
Trondheim, Norway

Local Organizing Chairs
------------------------
Maria Schweikert, Vienna University of Technology, Austria
Markus Klemen, Vienna University of Technology, Austria

Programme Committee
--------------------
Jemal H. Abawajy, Deakin University, Australia
Karl Aberer, EPFL, Switzerland
Abiola Abimbola, Napier University, UK
Rafael Accorsi, University of Freiburg, Germany
Alessandro Acquisti, Carnegie Mellon University, USA
Andre Adelsbach, Telindus PSF S.A., Luxembourg
Vasilis Aggelis, PIRAEUS Bank (WINBANK), Greece
John Andrews, Loughborough, University, UK
Michael Backes, Saarland University, Germany
Leonard Barolli, Fukuoka Institute of Technology (FIT), Japan
Lisa Bartlett, Loughborough University, UK
Massimo Bartoletti, Universita' di Pisa, Italy
Darcy G. Benoit, Acadia University, Wolfville, Canada
Helmut Berger, E-Commerce Competence Center - EC3, Austria
Bharat Bhargava, Purdue University, USA
Christophe Blanchet, CNRS IBCP, France
Alexander Böhm, University of Mannheim, Germany
Stephane Bressan, National University of Singapore, Singapore
Luciano Burgazzi, ENEA, Italy
Kevin Butler, Pennsylvania State University, USA
Jesper Buus Nielsen , University of Aarhus, Denmark
Catharina Candolin, The Finnish Defence Forces. Finland
Jiannong Cao, Hong Kong Polytechnic University, Hongkong
Jordi Castellà-Roca, Rovira i Virgili University of Tarragona, Spain
David Chadwick, University of Kent, UK
Surendar Chandra, University of Notre Dame, USA
Guihai Chen, Nanjing University, China
Simon Christophe, Nancy University, France
Soon-Ae Chun, City University of New York, USA
Nathan Clarke, University of Plymouth, UK
Joey Coleman, University of Newcastle upon Tyne, UK
Gao Cong, University of Edinburgh, UK
Ricardo Corin, INRIA-MSR & University of Twente, The Netherlands
George Davida, University of Wisconsinat Milwaukee, USA
Robert H. Deng , Singapore Management University, Singapore
Jochen Dinger, Universität Karlsruhe (TH), Germany
Lucia Draque Penso, University of Mannheim, Germany
Schahram Dustdar, Vienna University of Technology, Austria
Christian Engelmann, Oak Ridge National Laboratory, USA
Yung-Chin Fang, Dell Inc., USA
Hannes Federrath, University of Regensburg, Germany
Pascal Felber, Université de Neuchâtel, Switzerland
Elena Ferrari, University of Insubria, Italy
Sergio Flesca, DEIS – University of Calabria, Italy
Vincenzo De Florio, University of Antwerp, Belgium
Vladimir Fomichov, K.E. Tsiolkovsky Russian State Technological
University, Russia
Jordi Forné, Technincal Universtiy of Catalonia, Spain
Huirong Fu, Oakland University, MI, USA
Steven Furnell, University of Plymouth, UK
Javier Garcia-Villalba, Complutense University of Madrid, Spain
Matthew Gebski, University of New South Wales, Australia
Karl Goeschka, Vienna University of Technology, Austria
Swapna S. Gokhale, University of Connecticut, USA
Marcin Gorawski, Silesian University of Technology, Poland
Stephan Groß, Technische Universität Dresde, Germany
Daniel Grosu, Wayne State University, USA
Michael Grottke, Duke University, USA
Le Gruenwald, University of Oklahoma, USA
Qijun Gu, Texas State University, USA
Yong Guan, Iowa State University, USA
Ibrahim Haddad, Open Source Development Labs, USA
Abdelkader Hameurlain, Paul Sabatier University, France
Marit Hansen, Independent Centre for Privacy Protection, USA
Naohiro Hayashibara, Tokyo Denki University, Japan
Xubin (Ben) He, Tennessee Technological University, USA
Yanxiang He, Wuhan University, China
Rattikorn Hewett, Texas Tech University, USA
Chin-Tser Huang, University of South Carolina, USA
Jimmy Huang, York University, Canada
Thomas Jensen, IRISA/CNRS, France
Zhen Jiang, West Chester University, USA
Hai Jin, Huazhong University of Science and Technology, China
Oliver Jorns, ftw. Forschungszentrum Telekommunikation Wien, Austria
Audun Josang, School of Software Engineering and Data Communications, Australia
Jan Jurjens, Munich University of Technology, Germany and Open University, UK
Holger Kenn, University of Bremen, Germany
Dogan Kesdogan, RWTH Aachen, Germany
Brian King, Indiana University Purdue University Indianapolis, USA
Ted Krovetz, California State University, USA
Raphael Kunis, Chemnitz University of Technology, Germany
Helmut Kurth, Atsec Information Security, USA
Marc Lacoste, France Télécom R&D, France
Kwok-Yan Lam, Tsinghua University, China
Chokchai Box Leangsuksun, Louisiana Tech University, USA
Yih-Jiun Lee, Department of Information Management, CTU, Taiwan
Chin-Laung Lei, National Taiwan University, China
Philippe Leray, INSA (National Institute of Applied Sciences) of Rouen, France
Jun Li, University of Oregon, USA
Sam Lightstone, IBM Canada Ltd., Canada
Chae-Hoon Lim, Sejong University, Korea
Ching Lin, Macquarie University, Australia
Man Lin, St. Francis Xavier University, Canada
Alex Zhaoyu Liu, University of North Carolina at Charlotte, USA
Tong Liu, Dell Inc, USA
Hua Liu , Xerox labs, USA
Javier Lopez, University of Malaga, Spain
Sanglu Lu, Nanjing University, China
Jianhua Ma, Hosei University, Japan
Qiang Ma, NEC, Japan
Josef Makolm, Federal Ministry of Finance, Austria
Carsten Maple, University of Luton, UK
Keith Martin , University of London, UK
Fabio Martinelli, National Research Council - C.N.R, Italy
BeniaminoDi Martino, Second University of Naples, Italy
Santiago Melia, University of Alicante, Spain
Nasrullah Memon, Aalborg University Esbjerg, Denmark
Geyong Min, University of Bradford, UK
George Mohay, Queensland University of Technology, Australia
Marina Mongiello, Technical University of Bari, Italy
Stefania Montani, Universita' del Piemonte Orientale, Italy
Yi Mu, University of Wollongong, Australia
Junghyun Nam, Sungkyunkwan University, Korea
Priya Narasimhan, Carnegie Mellon University, USA
Tho Manh Nguyen, Vienna University of Technology, Austria
Jesper Nielsen, University of Århus, Denmark
Thomas Nowey, University of Regensburg, Germany
Tomas Olovsson, Chalmers University of Technology, Sweden
Hong Ong, Oak Ridge National Laboratory, USA
Maria Papadaki, University of Plymouth, UK
Manish Parashar, Rutgers University, USA
Fernando Pedone, University of Lugano, Switzerland
MariaS. Perez, UPM, Spain
Günther Pernul, University of Regensburg, Germany
Rob Peters, University of Amsterdam, The Neitherland
Thomas Phan, IBM Research, USA
Mario Piattini, University of Castilla-La Mancha, Spain
Makan Pourzandi, Ericsson Canada, Canada
Christopher Price, University of Wales Aberystwyth, UK
Jean-Jacques Quisquater, Universite catholique de Louvain, Belgium
Wenny Rahayu, La Trobe University, Australia
Indrajit Ray, Colorado State University, USA
Domenico Rosaci, University "Mediterranea" of Reggio Calabria, Italy
Heiko Rossnagel, Johann Wolfgang Goethe University Frankfurt, Germany
Bimal Roy, Indian Statistical Institute, India
Kenji Saito, Keio University, Japan
Kouichi Sakurai, Kyushu University, Japan
BiplabK. Sarker , University of New Brunswick, Fredericton, Canada
Ingrid Schaumüller-Bichl, FH OÖ Campus Hagenberg, Austria
Stephen L. Scott, Oak Ridge National Laboratory - USA
Dharmaraja Selamuthu, Indian Institute of Technology Delhi, India
Tony Shan, Wachovia Bank, USA
Thomas Shrimpton, Portland State University, USA
Richard Sinnott, University of Glasgow, UK
Amund Skavhaug, Norwegian University of Science and Technology, Norway
Agusti Solanas, Rovira i Virgili University, Spain
Alexander Speirs, University of Newcastle upon Tyne, UK
Katarina Stanoevska-Slabeva, University St. Gallen, Switzerland
Ketil Stølen, SINTEF & University of Oslo, Norway
Aaron Striegel, University of Notre Dame, USA
Peter Struss, Munich University of Technology, Germany
Tsuyoshi Takagi, Future University - Hakodate, Japan
Makoto Takizawa, Tokyo Denki University, Japan
Björn Thuresson, KTH Computer Science and Communication, Sweden
Oliver Theel, University of Oldenburg, Germany
A Min Tjoa, Vienna University of Technology, Austria
Kishor Trivedi, Duke University, USA
Juan Trujillo, University of Alicante, Spain
Alexander W. Tsow, Indiana University, USA
Tomas Uribe, SRI International, USA
Kalyan Vaidyanathan, Sun Microsystems, USA
Luca Vigano, ETH Zurich, Switzerland
Umberto Villano, Universita' del Sannio, Italy
Melanie Volkamer, DFKI - German Research Center for Artificial
Intelligence, Germany
Michael Waidner, IBM Software Group, Switzerland
Carine Webber, Universidade de Caxias do Sul, Brazil
Edgar Weippl, Vienna University of Technology, Austria
Robert Willison, Copenhagen Business School, Denmark
Maria Wimmer, University of Koblenz-Landau, Germany
Matthew Wright, University of Texas at Arlington, USA
Qinghan Xiao , Defence R&D Canada, Canada
Liudong Xing, University of Massachusetts, USA
Cheng-Zhong Xu, Wayne State University, USA
Mariemma.I. Yagüe, University of Malaga, Spain
Jeff Yan, Newcastle University, UK
Laurence Yang, St. Francis Xavier University, Canada
Alec Yasinsac, Florida State University, USA
George Yee, National Research Council, Canada
Sung-Ming Yen, National Central University, Taiwan
Xun Yi, Victoria University, USA
Meng Yu, Monmouth University, USA
William Yurcik, University of Illinois, USA
Nicola Zannone, University of Trento, Italy
Jianhong Zhang, North China University of Technology, China
Liqiang Zhang, Indiana University South Bend, USA
Jianying Zhou, Institute for Infocomm Research, Singapore
Xudong Zhu, Alcatel shangHai Bell Co. LTD., China
Enrico Zio, Polytechnic of Milan, Italy

EUSecWest/London CFP extended to Nov. 7

2006-11-02T16:28:21Z

Hi folks, some brief news:

Some people have asked for late submissions to the EUSecWest
paper selections. In the interest of fairness, we are extending the
deadline for all until next Tuesday (November 7), at which time
the submissions will be reviewed. Details of submissions can
be found on the http://eusecwest.com site under the speakers
sections.

PacSec/Tokyo paper descriptions have been published, and
CanSecWest/Vancouver early discount registration is now available.

thanks,

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan November 27-30 2006 http://pacsec.jp
pgpkey http://dragos.com/ kyxpgp