CRIME FW: [Information_technology] Daily News 01/27/03

GeorgeH@private

-----Original Message-----
From: NIPC Watch [mailto:nipc.watch@private] 
Sent: Monday, January 27, 2003 8:52 AM
To: Information Technology
Subject: [Information_technology] Daily News 01/27/03

January 26, UPI
Massive Internet outage was preventable. A massive Internet outage that
swept across Asia and slowed down service in the United States and
northern
Europe subsided Sunday, caused by a so-called "Slammer" message worm
that
could easily have been avoided, experts said. Reports of a near
universal
shutdown of the Internet in South Korea Saturday were accompanied by
widespread problems in the United States that shut down some automatic
bank
teller machine networks, held up e-mail, cut voice-over-Internet service
and
disrupted many private businesses, including some newspapers. Hong Kong,
South Korea, the northeastern United States and northern Europe appeared
to
be hit the hardest. Japan and Latin America were the least affected,
according to Matrix NetSystems, an Austin, Texas, company that
constantly
monitors Internet traffic worldwide. "The overall effect of these
worldwide
performance problems are severe, with more than 30% packet loss globally
at
the beginning of the event," the company said. "The performance problems
seem to be subsiding for the time being" as system operators reacted,
either
shutting down their servers or installing necessary security fixes. As
is
typical with malicious worm software, its origin could not be
immediately
determined. Although the impact varied from region to region, the outage
overall appeared to be the worst for the Internet in at least 18 months.
The
worm, which unlike a computer virus merely duplicates itself, did its
damage
by clogging communications from server to server, overloading the
capacity
of the Internet in many key locations. Although the worm did not spread
instructions to harm hard drive storage or trigger other types of
secondary
damage, it denied or slowed Internet service to untold thousands of
users.
The effect was a massive "denial of service," a huge overload sometimes
purposely directed against single Web sites but this time spread
worldwide.
The worm was dubbed the "Slammer," and exploited a weakness in the
widely
used Microsoft SQL 2000 server software, a security flaw identified by
Microsoft in July of last year. But system operators who had not
previously
downloaded free repair software since then found the problem suddenly
caught
up with them Saturday, sometimes in a devastating system stoppage.
"While
Web users experienced delays, the underlying Internet was largely
unaffected," the company said. "The signature of this event," it
continued,
"is similar to that of the Goner Worm that struck in December 2001."
Others
compared the widespread effect to that of the "Code Red" worm which also
afflicted servers running Microsoft software in July of 2001, that time
targeting port 80. A patch is available at Microsoft's Web site:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/
virus/alerts/slammer.asp. Source:
http://www.upi.com/view.cfm?StoryID=20030126-043023-3604r

January 25, NIPC
NIPC Advisory 03-001: "Worm Targets SQL Vulnerability". The NIPC is
aware
the propagation of an SQL worm. This exploitation affects users of
Microsoft
SQL Server 2000, primarily "corporate-level" data base users. This is
not a
home user issue unless they are running this server. Starting around
01:30
GMT-0500 on Saturday, January 25, the Internet experienced increased
traffic
from seemingly random Internet Protocol (IP) source addresses to port
1434/udp targeting a service provided by Microsoft SQL Server. The
packets
appear to be of a small size (approximately 376 bytes). Reports indicate
that the impact this activity is causing varied levels of degradation in
Internet connectivity. Early analysis suggests this result of scanning
from
a worm. The worm apparently can easily fill the state table of stateful
firewalls, e.g. PIX, Check Point, and Netscreen. This will cause an
outage
for the infected site, and the outage may occur long before the data
pipes
are filled. This issue is also causing problems to routers, both
directly
and indirectly. The worm generates some addresses to be attacked,
including
multicast addresses. This may cause problems multicast-enabled routers
and
networks. This worm causes high CPU usage on servers, essentially
slowing or
shutting servers down. An infected host will spew packets as quickly as
the
infinite loop will allow. While an additional malicious "payload" has
not
yet been identified, this vulnerability essentially exploits a buffer
overflow which may allow remote access to a victim's Microsoft SQL data
base
servers. The NIPC advises users to block or filter port 1434/udp ingress
(inbound) and egress (outbound) traffic, and monitor watch port 1433 for
any
increased traffic load. Microsoft SQL server users are encouraged to
review
the following web site to ensure they have taken appropriate action to
fix
that vulnerability:
http://www.microsoft.com/Downloads/details.aspx?displaylang=en9-B4EB-444
6-9B
E7-2DE45CFA6A89 Source:
http://www.nipc.gov/warnings/advisories/2003/03-001.htm

January 23, Kansas City Channel
Hacker downloads information on 1,450 international students. University
of
Kansas officials discovered Wednesday that a computer hacker downloaded
personal information gathered on 1,450 of its international students.
The
information was collected as part of new homeland security measures. The
files were for the Student and Exchange Visitor Information System,
which
will allow universities to transmit information on international
students to
the Immigration and Naturalization Service (INS) beginning in August.
The
files included such information as Social Security, passport and
university
identification numbers, cities and countries of origin and programs
students
were taking. The university alerted INS and FBI officials and said it
was
told the INS was notifying U.S. ports of entry. The breach raised
concerns
someone might use the information to enter the United States illegally.
Marilu Goodyear, the university's vice provost for information services,
described the problem as a "hole" on the computer's security system that
could allow a "medium-expert hacker" to break into the computer. She
attributed the problem to Microsoft Windows, not the SEVIS software.
"The
server was secure when it was installed," she said. "We were installing
a
security upgrade to the system when a hole we had fixed reverted to its
original state." Source:
http://www.thekansascitychannel.com/education/1930636/detail.html

January 23, Wired
Security hole discovered in Sprint DSL modems. Sprint DSL customers are
at
risk of having their e-mail addresses and passwords stolen -- even when
their computers are powered off -- due to weak security controls on
their
DSL modems. Sprint officials acknowledged that remote access to the
administrative software embedded in the ZyXel Prestige 642 and 645 DSL
modems is by default protected with a password of "1234." But the
company
said users are responsible for securing the equipment, which stores
login
data, including the user's e-mail address and password. Sprint
spokeswoman
Laura Tigges admitted that Sprint does not provide instructions for
resetting the administrative password in the documentation provided to
customers. Not to be confused with the Sprint DSL account password, the
administrative password allows a remote user to access the modem's
configuration software over the Internet. Sprint could not say how many
of
its more than 110,000 DSL customers might be affected. Tigges said
Sprint
will post instructions on its support website for disabling the remote
administration feature, and customers can also get assistance from
Sprint's
technical support staff. The company also plans to begin shipping DSL
modems
without the feature beginning in February, she said. Source:
http://www.wired.com/news/infostructure/0,1377,57342,00.html

Virus: #1 Virus in USA: WORM_KLEZ.H Source:
http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus
Tracking
Center [Infected Computers, North America, Past 24 hours, #1 in United
States]
Top 10 Target Ports 1434 (ms-sql-m), 137 (netbios-ns), 1433 (ms-sql-s),
80
(http), 139 (netbios-ssn), 445 (microsoft-ds), 53 (domain), 4662 (???),
135
(???), 21 (ftp) Source: http://isc.incidents.org/top10.html; Internet
Storm
Center

_______________________________________________
Information_technology mailing list
Information_technology@listserv
http://listserv.infragard.org/mailman/listinfo/information_technology