FW: NIPC Daily Report, 21 August 2001

From: George Heuston (georgeh@private)
Date: Tue Aug 21 2001 - 10:13:37 PDT

  • Next message: George Heuston: "AirSnort"

     
    -----Original Message-----
    From: NIPC Watch [mailto:nipc.watch@private] 
    Sent: Tuesday, August 21, 2001 9:12 AM
    To: daily@private
    Subject: NIPC Daily Report, 21 August 2001
    
    
    
    Significant Changes and Assessment  - No significant changes 
    
    
    Private Sector - Until recently, sites running AIX, a commercial operating
    system from IBM that is based on Unix, barely made a blip on the radar of
    the Alldas defacement archive service.  Of the more than 22,000 home pages
    defaced in the past 18 months, just 47 sites, or less than 1%, have been
    running AIX.  Windows, on the other hand, accounts for 65% of defacements.
    But 32 of those AIX intrusions have occurred in the past three days.  Among
    the victims, ironically, was an IBM corporate Web site in Indonesia.  On 18
    August, the defacers, a group called Savvy Crew, changed the site's homepage
    by adding the messages "In Linux We Trust" and "SavvyCrew did penetrate this
    lame IBM server."  The rise in AIX defacements has occurred almost
    simultaneously with the release of several new programs that exploit old
    flaws in the operating system.  (Source: Newsbytes, 21 August) 
      
    According to the hacker online publication Root-Core Network, a security
    hole in Microsoft's Web-based e-mail service Hotmail, allows any account
    holder to view other users' private messages.  In a bulletin posted on its
    Web site on 18 August, Root-Core members demonstrated how specially crafted
    URLs could circumvent password security on the Hotmail servers. A Root-Core
    editor who goes by the handle "Digital-Vortex" reported that Hotmail has
    been informed of the hole.  Hotmail security is guarded by Microsoft's
    Passport, a service promoted as a "single sign-in" approach to
    authentication that can span multiple Web sites.  (Source: Infosec News, 20
    August) 
    
    
    A security vulnerability in Apache web server results in the disclosure of
    the server's internal address. The problem occurs when a HTTP request
    containing a directory is submitted to the server. If the directory does not
    contain a trailing "/" character, the server returns a 3xx redirection error
    code indicating that further action must be taken in order to fulfill the
    request. When this occurs, a 'Location' response-header containing the
    address of the server is returned as part of the response. In a situation
    where the request is redirected to the server behind a firewall, this could
    lead to the disclosure of the server's internal network address. (Source:
    InfoSec News, 20 August) 
      
    A group of security companies is combining their efforts to be better able
    to combat new, sophisticated attacks such as those posed by the Code Red and
    Leave worms.  This week, McAfee will announce a research and development
    partnership with three anti-DDoS vendors, Arbor Networks Inc., Asta Networks
    Inc. and Mazu Networks Inc., with the goal of developing innovative
    technologies and techniques to detect and prevent DDoS attacks.  The
    alliance, a first among the normally isolationist security vendors, will
    involve the member companies exchanging research as well as researchers in
    an effort that officials said is just the beginning of a far reaching
    initiative.  The long term goal of the partnership is to develop and deploy
    a solution that will enable Internet service providers and data centers to
    identify when their networks are under a DDoS attack and also to discover
    and eliminate the "zombies" that attackers use to launch their assaults.
    (Source: ZDNet.com, 21 August) 
    
    
    International - Kaspersky Labs announced the registration of computer
    infections by the Internet worm "Newpic," which are spreading via the
    popular MSN Messenger pager network.  The current malicious program was
    detected at the beginning of last week, at which time it was added to the
    Kaspersky Anti-Virus database with the necessary defense procedures.
    However, the first incidents connected with "Newpic" were noted this past
    weekend.  "Newpic" is an executable program written in Visual Basic and is
    compiled in an EXE file about 50Kb in length.  Upon execution of the
    worm-carrying file, "Newpic" displays a fake message pertaining to a file
    processing error in order to hide its activity. The worm then registers
    itself in the auto-run registry key so that the worm is automatically
    executed upon every ensuing computer reboot.  (Source: InfoSec News, 20
    August) 
    
    
    An independent computer programmer in Germany has discovered that malicious
    hackers could wield seemingly ordinary-looking Web pages to send commands to
    servers behind such barriers as corporate firewalls.  Jochen Topf, found
    that many common Web browsers can be tricked into passing on commands from
    hackers unbeknownst to the browsers' users.  The trick, Topf wrote last week
    in a paper called "The HTML Form Protocol Attack," relies on the same
    HTML-based technology builders of legitimate Web pages use to capture
    information visitors might enter into online forms.  Topf's HTML form
    protocol attack paper is available at http://www.remote.org/jochen
    <http://www.remote.org/jochen> .  (Source: Newsbytes, 20 August) 
    
    
    A computer virus has intruded into administrative information systems of the
    Japan Coast Guard, damaging part of application software. The Japan Coast
    Guard suspended its e-mail servers after it discovered the virus infection
    on 20 August to let an anti-virus service company develop a vaccine for the
    virus. But the prospect of system restoration is still far from certain. The
    computer systems of the coast guard are now  temporarily out of action, but
    its home page is operating as usual.  (Source: JPP, 20 August) 
    
    
    On 20 August, hackers changed the main Web page of Turkey's Finance Ministry
    causing it to  crash.  Hackers changed and left a note signed by the
    Independent Hackers Group.  The Finance Ministry's data processing personnel
    have said that the hackers changed only the main page of the Web site and
    that no information has been lost.  They said that there is a problem with
    the security script.  (Source: Istanbul NTV, 20 August) 
    
    
    Government - A Seattle federal court handed down a 13-count indictment last
    week accusing   Vladimirovich Ivanov, of Chelybinsk, Russia, of hacking into
    a California-based Internet service provider (ISP) and allegedly attempting
    to extort money from the company's customers.  According to court documents,
    Ivanov  was charged with hacking into the networks of VPM, an ISP based in
    Folsom, California.  He allegedly threatened to damage computers connected
    to the network unless he was paid a certain amount from each victim.  Ivanov
    and his associate Vasili Gorchkov were arrested in Seattle last November
    after coming to the U.S.  for what they believed was a job interview at a
    Seattle-based high-tech company called Invita.  Both men have been indicted
    on similar federal computer intrusion charges in Santa Ana, Calif., and in
    New Jersey.  According to U.S. Attorney Mark L. Krotoski, Ivanov faces a
    maximum penalty of five years in prison, and a fine of up to $250,000 on
    each of the charges.  (Source: Newsbytes, 21 August) 
    
    
    Military - NTR 
    
    
    U.S. SECTOR INFORMATION: 
    
    
    Water Supply - Three towboat companies and the man who owns them have
    pleaded guilty to dumping oil into the Mississippi River.  Glenn McKinney
    and his companies McKinney Towing, McKinney Harbor Towing and Slidell
    Towing, could be ordered to pay a variety of fines and restitution for
    violating the federal Clean Water Act.  McKinney pleaded guilty on 17 August
    in U.S. District court on behalf of himself and the three companies.  For at
    least five years and until May 2000, McKinney's boats would pump a water and
    oil mix from the hulls of at least nine boats into the Mississippi River.
    The mix came about because the boats were in a constant state of disrepair.
    The illegal discharges stopped when Louisiana State Police, the federal
    Environmental Protection Agency and Baton Rouge Police searched the
    company's Baton Rouge facility and took samples from the boats.  The towing
    companies have agreed to pay $40,000 in restitution to the State Police
    "Right to Know" fund and $40,000 to the Southern Environmental Enforcement
    Network.  (Source: Associated Press, 20 August) 
    
    
    Gas and Oil Storage Distribution - NTR 
    Government Services - NTR 
    Emergency Services - NTR 
    Electrical Power - NTR 
    Telecommunications  - NTR 
    Banking and Finance - NTR 
    Transportation - NTR  
    
    NOTE:  Please understand that this is for informational purposes only and
    does not constitute any verification of the information contained in the
    report nor does this constitute endorsement by the NIPC or the FBI. 
    
     
      
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:24:18 PDT