[ISN] Cert warns of automated attacks

From: InfoSec News (isnat_private)
Date: Wed Apr 10 2002 - 01:47:40 PDT

  • Next message: InfoSec News: "[ISN] The Security Sentinels"

    By James Middleton [09-04-2002]
    Hacking tools are becoming increasingly sophisticated
    The Computer Emergency Response Team (Cert) has released a report
    pinpointing the six fastest evolving trends in the black hat world of
    internet security.
    The organisation, which has been monitoring hacker activity since
    1998, found that the most notable trend to evolve over recent years is
    the automation and speed of attack tools.
    Although widespread scanning over the internet has been common since
    1997, today's tools are set to maximise impact and speed.
    Freely available attack tools now exploit vulnerabilities as part of
    the scanning process and are capable of self-initiating new attacks on
    a well-managed and co-ordinated global scale.
    "We've seen tools like Code Red and Nimda self-propagate to a point of
    global saturation in less than 18 hours," said Cert.
    Public communications protocols such as IRC and Instant Messenger have
    now become popular methods for co-ordinating attack tools.
    The tools are more sophisticated, and their signatures are more
    difficult to discover through signature-based systems such as
    antivirus software and intrusion detection systems.
    Attack tools are capable of disguising their nature, varying their
    patterns and making use of polymorphic techniques to upgrade or
    replace portions of themselves.
    Commonly used protocols such as IRC or HTTP are being used to disguise
    malicious code among legitimate network traffic.
    Cert also warned that the number of vulnerabilities discovered has
    more than doubled each year, making it nigh on impossible for
    administrators to keep on top of patches.
    "Intruders are often able to discover these exemplars before the
    vendors are able to correct them," warned the authority.
    The increasing permeability of firewalls is also posing a problem, as
    security is being sacrificed to convenience. More technologies are
    being designed to bypass firewalls, such as IPP (the Internet Printing
    Protocol) and WebDAV (Web-based Distributed Authoring and Versioning).
    While marketed as being 'firewall friendly' these technologies are
    actually designed to bypass typical firewall configurations. Other
    examples include aspects of 'mobile code', such as ActiveX, Java and
    JavaScript, which make it harder for malicious software to be
    Because security on the internet is, by its very nature, highly
    interdependent, another increasing threat to each system's exposure to
    attack depends on the state of security of the rest of the systems
    A single attacker can relatively easily employ a large number of
    distributed systems to launch devastating attacks against a single
    Cert found that the increasing threat from infrastructure attacks
    takes on four general methodologies.
    Distributed Denial of Service attacks use multiple systems to attack
    one or more victims. Cable modem, DSL, and university address blocks
    are increasingly targeted by intruders planning to install these
    attack tools.
    Worms, or self propagating malicious code, couple a highly automated
    nature with the relatively widespread number of vulnerabilities still
    unchecked, to compromise a large number of systems within a few hours.  
    Code Red infected more than 250,000 systems in just nine hours on 19
    July last year.
    Domain Name System architecture is also being targeted more
    frequently. The 13 top level domain servers for .com, .net and .org,
    along with those managing the country level domains, have long been
    considered a single point of threat in internet security.
    And routers are increasingly being targeted, because they can be used
    as attack platforms against the rest of the internet infrastructure.
    Cert said that the largest impact of these security events may well be
    the time and resources required to deal with them.
    Analyst firm Computer Economics recently estimated that the total
    economic impact of Code Red was $2.6bn, and that SirCam cost another
    $1.3bn. The 11 September attacks will cost around $15.8bn to restore
    IT and communication infrastructure.
    The full report can be found here.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Apr 10 2002 - 05:02:05 PDT