-----Original Message----- From: NIPC Watch Sent: 7/17/01 8:01 AM Subject: NIPC Daily Report, 17 July 2001 Significant Changes and Assessment - No Significant Changes. Private Sector - A new Internet worm may be on the loose and could have already infected thousands of sites running Web server software from Microsoft, security experts warned on 16 July. Since late last week, a malicious program has been scanning the Internet and compromising Microsoft systems running unpatched versions of the Internet Information Server (IIS), according to independent reports. Experts who have reviewed the signature of the code left behind in Web server logs said it appears to exploit a buffer overflow flaw in IIS that was discovered by eEye Digital Security. According to Marc Maiffret, chief hacking officer for eEye, a preliminary analysis by the security software firm of log files and a copy of the program obtained from victim sites suggests it may be a self-propagating worm designed to scan the Internet for IIS machines vulnerable to the ".ida attack" and to automatically deface their homepages. According to Maiffret, the defaced page contains a simple message in all red letters: "Welcome to http://www.worm.com! Hacked By Chinese!" (Source: Newsbytes, 17 July) (NIPC Comment: The NIPC's Malicious Code Team continues to research and analyze this worm and will advise of changes as warranted.) Due to another DDoS attack in the past 4 days, the alldas.de web site defacement mirror site has not been kept up-to-date recently. The core routers had to handle traffic of like 600MBit, which was obviously too much. This caused their upstream provider to nullroute them. Due to this nullrouting, it is not easy to visit or send e-mail to the alldas.de web site. Alldas.de will be moving to another ISP within the next 10 weeks where they hope to experience less trouble there since the new backbone is more immune to those 600MBit kiddie Dosnets. Alldas.de feel that their current ISP has done more than most ISPs would do for a site like theirs. (Source: AllDas.de Web Site, 15 July) At DefCon, the veterans had a message for the younger, up-and-coming hackers: go straight. The opportunities of a career in business and the risks of a life of cybercrime were the serious subtext to the DefCon conference. This year's meeting featured sessions on how an interest in hacking can be parlayed into work as a security consultant, and even the show's organizers announced that they had formed their own firm. Black Hat, held at Caesar's Palace, attracted 1,300 earlier in the week and about 5,000 were expected at DefCon, where professionals and dedicated amateurs come to swap information about computer network vulnerabilities and how to fix them. (Source: ZDNet UK, 16 July) The technology industry is scrambling to combat what many computer security experts say will be the next target of hackers and computer viruses - wireless devices. No known attacks have knocked out business networks or large numbers of cell phones, handheld computers and laptops. But cyber assaults are likely to come in the next year, given the history of hackers targeting new technologies, security pros say. (Source: USA Today, 16 July) Government - The Internet Fraud Complaint Center (IFCC), a government Web site affiliated with the Federal Bureau of Investigation, has posted a warning site that someone has been sending unsolicited e-mails with fake FBI addresses. The phony addresses are an apparent attempt to fool recipients into believing that an FBI employee has sent the message. According to the IFCC's press release, many of the e-mails have said: "Your application is approved. Please fill out this form to confirm your identity." The e-mail then asks for the recipient's name and address, and a credit card number and expiration date. "The FBI does NOT e-mail people soliciting information from them. The FBI does NOT request such personal information from people via the Internet," said the strongly-worded release. The FBI has otherwise made no public comment on the false e-mails, which apparently were sent earlier this month. (Source: www.NewsFactor.com, 17 July) (NIPC Comment: Spoofed email is often used by hackers to trick consumers into running malicious code such as Trojan applications which can provide remote access to a victim's computer. As always, users are advised to keep their anti-virus software current by checking their vendor's web sites frequently for new updates, and to check for alerts put out by NIPC, CERT/CC, and other cognizant organizations. ) The National Institute of Standards and Technology's ICAT metabase can reportedly be "used as a royalty free vulnerability database for both commercial and free products" and is now available as an offline application via the ICAT website. The database was last updated on 2 July 2001 and currently contains 2628 vulnerabilities. (Source: @Stake Security News, 13 July) The State Department needs to evaluate its foreign operations and draw up critical systems infrastructure protection plans and vulnerability assessments, State's inspector general concluded in a report released last month. Under Presidential Decision Directive 63, State had to implement an international strategy for safeguarding critical U.S. and global infrastructures. The effort so far has consisted of an international outreach plan to catch cyberterrorists and criminals, which began last August. But the Inspector General report said that although the plan has had some success, the department needs to take more global preventive measures. "The department's Critical Infrastructure Protection Plan and vulnerability assessments did not address the department's minimum-essential infrastructure overseas, nor the role and responsibilities of its chiefs of mission in protecting that infrastructure," the report said. (Source: Government Computer News, 16 July) In an effort to strengthen the nation's "cyber civil defense," two well-known law enforcement officials asked attendees of this year's Black Hat Briefings (BHB) hacker conference to join the corps of coders paid to protect the nation's IT infrastructure. Enlisting to help the government combat cybercrime helps level an uneven playing field caused by legal limitations placed on the public sector, keynote speakers William Tafoya and Kevin Manson told several hundred security experts at the 5th annual Black Hat convention held in Las Vegas. In return for their service to the government, "ethical coders" can receive better training and credentials that will benefit them later when they seek information security careers. "The 'elite' are not those who destroy and wreak havoc in cyberspace, rather they are those who protect and defend the Net," both Tafoya and Manson told the crowd. This is the second year the federal government has asked hackers to join its ranks at BHB and DefCon, another widely attended conference in Las Vegas that immediately follows the Black Hat sessions. (Source: Security Wire Digest, 16 July) Defacements - Fears that other hackers would follow last week's super-attack on 700 web sites were confirmed on 14 July when a second hacker turned over a large number of sites. A pro-Israeli defacing group, m0sad, hit 480 web sites in a political hack that probably took less than a minute. The attack follows another week where more than 700 "virtually hosted" web sites were hit in a single attack. Some security experts feared that this would be just the beginning of a spate of copycat attacks. "m0sad" broke into a web server owned by Corpex Internet, which hosted 480 sites. The machine is running Apache on FreeBSD. All the sites were virtually hosted. Virtual hosting is a cost-effective method of running a site where a number of web sites are hosted on the same server, with each site usually held in its own individual folder. But should a hacker manage to get system-level access to the server, it is child's play to set up a script to overwrite every index.html file found on the machine and replace it with the hacker's own page. (Source: VNUNet, 16 July) Military - NTR International - NTR U.S. SECTOR INFORMATION: Electrical Power - NTR Transportation - NTR Telecommunications - NTR Banking and Finance - NTR Emergency Services - NTR Government Services - NTR Water Supply - NTR Gas and Oil Storage Distribution - NTR NOTE: Please understand that this is for informational purposes only and does not constitute any verification of the information contained in the report nor does this constitute endorsement by the NIPC or the FBI.
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:23:52 PDT