-----Original Message----- From: NIPC Watch [mailto:nipc.watch@private] Sent: Tuesday, June 26, 2001 8:48 AM To: daily Subject: NIPC Daily Report 26 June 2001 Significant Changes and Assessment - No Significant Changes. Private Sector - The Pe_Maria Worm, a memory-resident virus, propagates via Microsoft Outlook by sending a copy of itself to all addresses listed in an infected user's address book. It arrives in an e-mail with the subject line "Hi!!!" and the attachment SYSTEM32.EXE. When in memory, it displays the icon of a marijuana leaf on the taskbar. Trend Micro identifies this worm as having a low risk rating. (Source: Infosec News, 25 June) (NIPC Comment: The Malicious Code Team of NIPC has been in contact with anti-virus vendors to determine the validly of this virus. The PE_MARIA.A is considered a very low threat due to its non-destructive capabilities, but the mass mailing capabilities can still degrade e-mail servers within a corporation. No further action will be required.) Microsoft has released security bulletin MS01-036 detailing a vulnerability in Microsoft Windows 2000. This vulnerability involves a Lightweight Directory Access Protocol (LDAP) function that is only available if the LDAP server has been configured to support LDAP over Secure Socket Layer sessions, and whose purpose is to allow users to change the data attributes of directory principals. By design, the function should check the authorizations of the user before completing the request; however, it contains an error that manifests itself only when the directory principal is a domain user and the data attribute is the domain password. When this is the case, the function fails to check the permissions of the requester, with the result that it could be possible for a user to change any other user's domain login password. An attacker could change another user's password for either of two purposes: to cause a denial of service by preventing the other user from logging on, or in order to log into the user's account and gain any privileges the user had. Clearly, the most serious case would be one in which the attacker changed a domain administrator's password and logged into the administrator's account. Additional information can be found at http://www.microsoft.com/technet/security/bulletin/MS01-036.asp. (Source: Microsoft Corporation, 25 June) Security professionals are concerned that a program used by hackers to exploit a flaw in Microsoft Internet Information Service (IIS) Web server has not been made public. They fear that the hackers are keeping the tool secret in a bid to launch further damaging IIS attacks. The latest in a long line of vulnerabilities in IIS was discovered last week, when it was revealed that a remote buffer overflow in all versions of IIS Internet Services Application Programming Interface could be exploited to give an attacker complete control of a system. The security community is worried that hackers may be hanging on to the tool used for exploiting this hole, rather than releasing it for analysis so that a patch can be developed. Typically, when a hole is discovered, a tool capable of exploiting the glitch appears within 48 hours, encouraging administrators to patch their systems quickly. But so far, no such tool has appeared to push administrators into gear, although rumor has it that hackers are in possession of such a program, potentially leaving the six million users of IIS at risk. (Source: vnunet.com, 26 June) International - In Malaysia, hackers have struck at government Web sites again, this time targeting the Social Security Organization (Socso) by posting an image of a covered skull on its site www.perkeso.gov.my. The hacker calling himself "Crime Lordz," also left behind a symbol of the Brazilian flag, suggesting his country of origin. The hacking was revealed by a local self-styled hacker to reporters. However, Socso said it was not aware of the infiltration when contacted by reporters for comment. (Source: Kuala Lumpur Bernama, 25 June) The Japanese parliament enacted a revised Penal Code to fight credit card fraud, raising the maximum jail term to 10 years from the current five and doubling the maximum fine to 1 million yen. The new penalties unanimously approved by the House of Representatives in a plenary session apply to counterfeiting or use of forged credit cards, debit cards, prepaid cards and ordinary bank and postal savings cards. The new law will take effect sometime in July, government officials said. The revised Penal Code also for the first time stipulates penalties for possession of forged cards and the theft of card data. People caught in possession of such forged cards face a prison term of up to five years or a fine of up to 500,000 yen, while stealing a code number or other data can draw a prison term of up to three years or a fine of up to 500,000 yen. (Source: Associated Press, 26 June) According to some U.S. officials, Russia, China and Iran are trying to develop their military capabilities to join an attack against the U.S. cyber-infrastructure. A U.S. intelligence officer told the U.S. House Economic Committee on 23 June that the cyber-warfare will be the new type of military operations in the future. He said these operations have already been witnessed in countries like China and Russia, adding that other countries also have some active plans to develop their cyber-warfare. This intelligence officer stopped short of going into detail on the grounds that such information was classified, but the U.S. intelligence sources believe that Russia, China, North Korea and Cuba have active plans to develop their cyber-warfare. The U.S. has claimed that Iran, Iraq and India are also seeking expertise and know-how in this area. (Source: Tehran Times, 26 June) Government - NTR Military - NTR Defacements - NTR U.S. SECTOR INFORMATION: Banking and Finance - On 22 June, thousands of people discovered that their credit cards details and personal information had been made freely available on a Consumers' Association (CA) Web site. The CA, publishers of Which? magazine, is contacting Web site, TaxCalc.com, and urging them to cancel their credit cards. The CA said that the site had been shut down "within seconds" of a call from a Times journalist on 21 June, informing them of a serious breach of security on the TaxCalc site. It could not confirm the technical reason for the breach and said an independent security expert has been hired to conduct an immediate audit of the site. (Source: The Guardian, 22 June) Emergency Services - NTR Government Services - NTR Water Supply - NTR Gas and Oil Storage Distribution - NTR Electrical Power - NTR Transportation - NTR Telecommunications - NTR NOTE: Please understand that this is for informational purposes only and does not constitute any verification of the information contained in the report nor does this constitute endorsement by the NIPC or the FBI.
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:23:46 PDT