-----Original Message----- From: NIPC Watch [mailto:nipc.watch@private] Sent: Wednesday, March 19, 2003 7:08 AM To: Information Technology Subject: [Information_technology] Daily News 3/19/03 March 18, Federal Computer Week Army Web server hacked. A hacker last week exploited a previously unknown vulnerability in Microsoft Corp.'s Windows 2000 operating system to gain control of an Army Web server. Russ Cooper of security services company TruSecure Corp. said that on March 10 the hacker used an attack code to operate the Army system as if he or she had the highest security clearance and therefore was able to gain complete control of the system. The Army identified the problem after performing a network scan and finding data output from a port on one of its internal servers to an "unspecified region," he said. Both Microsoft and Carnegie Mellon University's CERT Coordination Center issued security warnings about the "buffer overflow" vulnerability and Microsoft has developed a patch, available on the Microsoft Web site, to fix it. The vulnerability affects systems running Microsoft Windows 2000 with Internet Information Server (IIS) 5.0 enabled and the code exploits an unchecked buffer in the WebDAV protocol. Exactly which Army computer was attacked, the sensitivity of the data contained on the system, and the attacker's intentions are still unknown. Compounding the surprising nature of an attack on a Defense Department system is the fact that this was a previously unknown vulnerability, or "zero-day exploit," which are extremely rare in the computer security arena. Vendors often issue patches before hackers have infiltrated a system. Source: http://www.computerwire.info/brnews/5C4592250BC485B508256CED 0003C976 March 18, Government Computer News DHS warns about systems threats as war looms. The Department of Homeland Security (DHS) on Tuesday reminded Internet users to be vigilant for cyberattacks in light of the ultimatum President Bush issued Monday that Iraqi President Saddam Hussein leave his country or face military invasion. The department and other federal agencies are monitoring "the Internet for signs of a potential terrorist attack, cyberterrorism, hacking and state-sponsored information warfare," a Homeland Security statement said. "Industry and public Internet users are reminded of the importance of employing sound security practices and reporting unusual activity or intrusion attempts to DHS or local law enforcement." Source: http://www.gcn.com/vol1_no1/daily-updates/21419-1.html March 17, CNET News.com Linux firms urge users to plug Samba hole. The open-source community is urging customers to patch their systems to close a hole in a software component that allows Windows programs to store and retrieve files on Linux and Unix servers. Known as Samba, the software can be found on many workstations and servers running any one of the variety of flavors of Linux and Unix, including systems running Apple OS X. The flaw occurs in the code that reassembles data that the software receives from the Internet, according to the advisory. By sending the server a specially crafted data packet, an attacker could overload the memory used by the Samba software and cause the application to run code of the intruder's choice. Members of the Samba team planned to announce the vulnerability on Tuesday, but they released information over the weekend because some believed a Web site break-in in Germany may have been attributed to the software. Several Linux editions--including Debian, Gentoo, and SuSE--released patches for the problem. Apple Computer noted in an advisory that Samba is not enabled by default with Mac OS X and Mac OS X Server, but the company plans to issue a patch for version 10.2.4. Red Hat hasn't yet released a patch but will do so soon, the company said in a statement. Source: http://news.com.com/2100-1002-992965.html?tag=fd_top March 17, eWEEK More net attacks loom, CERT says. The recent rash of Internet worms has produced an army of hundreds of thousands of compromised machines that could ultimately be used to launch a massive distributed-denial-of-service attack at any time, according to security officials. Officials at the CERT Coordination Center said the organization is monitoring at least five large networks of compromised machines installed with so-called bots. The bots connect compromised PCs or servers to Internet Relay Chat servers, which attackers commonly use to execute commands on the remote systems. At least one of these networks has more than 140,000 machines, officials said. CERT's dire warning is underscored by last week's emergence of the Deloder and Code Red.F worms. While neither worm does any immediate damage to infected machines, both install back doors that enable attackers to use compromised machines for future, much more damaging operations, such as DDoS attacks. At the heart of this new trend, according to security experts, are poor security practices. But more important is the mistaken belief by corporate IT that once crises such as those caused by Code Red or SQL Slammer die down, the trouble's over. In fact, after an initial flurry of advisories, warnings and patches, there are often months or years of sustained infections and residual DDoS attacks, Marty Lindner of CERT said. Also problematic are the many affected machines belonging to home users, few of whom do any logging of the activity on their PCs. As a result, attackers can easily hide their tracks by using these anonymous computers, according to the experts. Source: http://www.eweek.com/article2/0,3959,935790,00.asp March 17, eWEEK Deloder, Lovgate worms mark perils of slack security policy. Many computer users persist in using their names or children's birthdays as log-on credentials, and two recent worm outbreaks have shown why that's such a risky practice. Deloder, the latest worm to hit vulnerable Windows machines, as well as a recent version of Lovgate, both use a list of common passwords in an attempt to compromise computers. Lovgate began spreading late last month, while Deloder appeared last week. Although neither worm has spread as far or as fast as threats such as SQL Slammer or Code Red, both Deloder and Lovgate clearly illustrate the danger inherent in lax security policies. In Deloder's case, the worm tries to connect to random Windows NT, Windows 2000 and Windows XP machines on TCP port 445, normally used by Microsoft Corp.'s Active Directory. It then looks for network shares on the remote machine and, if it finds any, tries to copy itself to the shares by using easily guessed passwords to gain access. The worm also installs a Trojan horse and a utility for executing commands on remote machines. Lovgate behaves in a similar fashion. It spreads from an infected machine using the Messaging API Windows functions by answering recent mail with an infected reply. It then tries to copy itself to network shares and their sub-folders. If the folders are password- protected, Lovgate tries passwords such as "admin" and "123." Source: http://www.eweek.com/article2/0,3959,936327,00.asp Internet Security Systems - AlertCon: 2 out of 4 https://gtoc.iss.net/ Last Changed 18 March 2003 Security Focus ThreatCon: 2 out of 4 www.securityfocus.com Last Changed 18 March 2003 Current Virus and Port Attacks Virus: #1 Virus in USA: WORM_KLEZ.H Source: http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus Tracking Center [Infected Computers, North America, Past 24 hours, #1 in United States] Top 10 Target Ports: 80 (www), 137 (netbios-ns), 1434 (ms-sql-m), 113 (ident), 445 (microsoft-ds), 25 (smtp), 139 (netbios-ssn), 53 (domain), 4662 (eDonkey2000), 0 (---) Source: http://isc.incidents.org/top10.html; Internet Storm Center _______________________________________________ Information_technology mailing list Information_technology@listserv
This archive was generated by hypermail 2b30 : Wed Mar 19 2003 - 10:46:15 PST