-----Original Message----- From: NIPC Watch [mailto:nipc.watch@private] Sent: Thursday, January 09, 2003 8:59 AM To: Cyber Threats; Information Technology Subject: [Cyber_threats] Daily News 01/09/03 January 06, Computerworld American Airlines secures wireless LANs in Denver. Last January it was discovered that the wireless local area networks (LANs) American Airlines Inc. had been operating at their Denver International Airport (DIA) terminal were highly vulnerable to hackers. White Hat Technologies Inc., a Colorado-based security firm, found they had been operating without any encryption and had even pasted the IP addresses of curbside terminals on the monitors. A test at DIA on December 20 by White Hat was unable to detect a single airline wireless network operating without encryption protection, said Thubten Comerford, CEO of White Hat. In addition, American had not only removed the IP addresses from its OneStop self-service kiosks, but it had also added Cisco Systems Inc.'s Lightweight Extensible Authentication Protocol (LEAP) authentication technology on top of the standard 40-bit Wired Equivalent Privacy (WEP) encryption. LEAP is an authentication algorithm that leverages the 802.1x framework and provides dynamic, per-user WEP keys to protect data in transit. On the downside, Comerford said the recent test of the DIA facility still managed to pick up a suspected rogue access point (AP), as well as a significant number of vulnerable wireless transmissions emanating from public traveler lounges and frequent-flier clubs throughout the airport. "The biggest danger at DIA is the sniffing of sensitive information being transmitted by travelers. Few, if any, airports have addressed this security vulnerability, [and] few airports or airlines warn travelers of the danger of using the wireless networks," Comerford said. Source: http://www.idg.net/go.cgi?id=779363 January 06, CERT/CC CERT Vulnerability Note VU#412115: "Network device drivers reuse old frame buffer data to pad packets". The Ethernet standard (IEEE 802.3) specifies a minimum data field size of 46 bytes. If a higher layer protocol such as IP provides packet data that is smaller than 46 bytes, the device driver must fill the remainder of the data field with a "pad". For IP datagrams, RFC1042 specifies that "the data field should be padded (with octets of zero) to meet the IEEE 802 minimum frame size requirements." Researchers from @stake Inc., a digital security company in Cambridge, Mass, have discovered that, contrary to the recommendations of RFC1042, many Ethernet device drivers fail to pad frames with null bytes. Instead, these device drivers reuse previously transmitted frame data to pad frames smaller than 46 bytes. This constitutes an information leakage vulnerability that may allow remote attackers to harvest potentially sensitive information. Depending upon the implementation of an affected device driver, the leaked information may originate from dynamic kernel memory, from static system memory allocated to the device driver, or from a hardware buffer located on the network interface card. Source: http://www.kb.cert.org/vuls/id/412115 Virus: #1 Virus in USA: WORM_KLEZ.H Source: http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus Tracking Center [Infected Computers, North America, Past 24 hours, #1 in United States] Top 10 Target Ports: 137 (netbios-ns), 1433 (ms-sql-s), 80 (http), 139 (netbios-ssn), 445 (microsoft-ds), 4662 (???), 135 (???), 21 (ftp), 53 (domain), 25 (smtp) Source: http://isc.incidents.org/top10.html; Internet Storm Center _______________________________________________ Cyber_Threats mailing list Cyber_Threats@listserv http://listserv.infragard.org/mailman/listinfo/cyber_threats
This archive was generated by hypermail 2b30 : Fri Jan 10 2003 - 10:47:47 PST