OCIPEP DAILY BRIEF Number: DOB02-171 Date: 23 October 2002 http://www.ocipep.gc.ca/DOB/DOB02-171_e.html
NEWS OCIPEP issues Information Note IN02-008 - McAfee Anti-virus OCIPEP has issued Information Note IN02-008 regarding a report received about McAfee anti-virus software generating reports of false W32/Insane infections. The false detections occur when using the 4229 DAT files and engine versions 4.0.70, and 4.1.40. Details on how to fix the problem can be found on the McAfee site. OCIPEP Comment: The latest OCIPEP Information notes are available at http://www.ocipep.gc.ca/emergencies/infonotes_e.html ****************** (IWS Comment: A quote from someone from InfraGard: 'Note, 4.0.70 and 4.1.40 engines are unsupported engines. 4.1.60 is needed today. If you encounter this, you are to upgrade to 4.1.60.' WEN) ****************** DDoS attack on Internet root servers On 21 October 2002, a distributed denial-of-service (DDoS) attack was detected by monitoring agencies in North America. This attack targeted the 13 root Domain Name System (DNS) servers that provide worldwide address translation for the entire DNS network. This attack began in earnest at approximately 4:00 pm EDT and lasted for approximately one hour. Traffic from several Internet service providers was slightly delayed. (Source: matrixnetsystems.com, 22 October 2002, news.com, 22 October 2002) Click here for the source article - 1 Click here for the source article - 2 OCIPEP Comment: According to reports, during the attack the average reachability for the entire DNS network only briefly dropped below 94% from normal levels near 100%. This attack had negligible effects on the Internet. City of Ottawa to spend on CBRN preparedness supplies Plans are underway for Ottawa police, fire and medical services to purchase almost $800,000 worth of supplies, which would be needed in the event of a chemical, biological, radiological or nuclear attack or accident in the capital. This amount would be in addition to the $330,000 that has been spent so far this year. The funds stem from the Joint Emergency Preparedness Program (JEPP), where municipalities share the cost of emergency materials and training with federal and provincial governments. (Source: fyiottawa.com, 23 October 2002) Click here for the source article OCIPEP Comment: Funding to increase CBRN capacity for first responders was identified in the December 2001 federal budget. The funding identified in this report is part of this package and involves spending of $10M over two years (2001-02, 2002-03) for specialized CBRN equipment for first responders across the country. OCIPEP has been working with provinces and territories to ensure an enhanced national capacity to respond to CBRN incidents . Applications have been invited through the Joint Emergency Preparedness Program using a 75% federal, 25% provincial cost share. The national capital region has a multidisciplinary CBRN team that has been working together for several years. NRCan releasing report on climate change Natural Resources Canada released on 22 October the latest chapters in its continuing report on climate change. The agriculture and forestry chapters of Climate Change Impacts and Adaptation: A Canadian Perspective review recent Canadian impacts and adaptation research on the forestry and agricultural sectors. These are the second and third chapters of the report; a chapter on water resources has already been published. Chapters are being published as they become available. The full report will comprise 13 chapters. Nine focus on specific sectors-water resources (published), agriculture, forestry, fisheries, coastal zone, health, transportation, communities, and recreation and tourism. Other chapters provide background information and address research methods, costing and knowledge gaps. A synthesis report of about 20 pages will also be produced. (Source: NRCan) OCIPEP comment: To access the report as it becomes available, go to: http://adaptation.nrcan.gc.ca/perspective.asp IN BRIEF West Nile virus confirmed in Alberta Alberta health officials say a man from the Calgary region was likely infected by the West Nile virus while traveling in Louisiana or Texas this summer. With cases of animal infection already reported in Saskatchewan, officials say we can expect more cases of the virus in Alberta by next summer. However, Dr. Karen Grimsrud, Alberta's deputy provincial health officer, insists the risk to humans remains low. (Source: Edmonton.cbc.ca, 22 October 2002) Click here for the source article CYBER UPDATES See: What's New for the latest Alerts, Advisories and Information Products See: - News - OCIPEP issues Information Note IN02-008 - McAfee Anti-virus See: - News - DDoS attack on Internet root servers Threats Symantec reports on W32.HLLW.Loxar, which is a worm written in Delphi and packed by tElock that propagates via the KaZaA network. It copies itself to the root folder of all drives and to the KaZaA shared folder using a name chosen randomly from a list that the worm carries. On December 13, the worm might start Notepad and display a message in the window. It attempts to terminate the processes of a number of anti-virus and firewall programs. http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.loxar.h tml Symantec reports on W97M.Wisefool, which is a polymorphic macro virus that infects MS Word documents when they are opened using the Normal.dot template. http://securityresponse.symantec.com/avcenter/venc/data/w97m.wisefool.ht ml Symantec reports on VBS.AVFake, which is written in VB Script and attempts to delete registry values for several anti-virus and firewall products. On September 1 it displays the message "Mr.Carew vuelve otra vez!!, jaja". http://securityresponse.symantec.com/avcenter/venc/data/vbs.avfake.html Trend Micro reports on WORM_PORKIS.B, which is a variant of WORM_PORKIS.A. It propagates via e-mail by sending itself to all recipients listed in the Windows Address Book (WAB). It arrives with the subject line "Bin Laden Bastardo!!!!! Leggete urgentemente questa e-mail!! (11 settembre da ricordare)Verit" and the attachments "jocker.exe", "Joker.exe" and "Jok.exe". http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_POR KIS.B Vulnerabilities SCO UnixWare 7.1.1 and Open UNIX 8.0.0 denial-of-service vulnerability. (SecurityFocus) http://online.securityfocus.com/advisories/4586 NetBSD kadmind daemon buffer overflow vulnerability. (SecurityFocus) http://online.securityfocus.com/advisories/4589 NetBSD ESP denial-of-service vulnerability . (SecurityFocus) http://online.securityfocus.com/advisories/4588 Mandrake Linux gv versions 3.5.8 and earlier buffer overflow vulnerability. (SecurityFocus) http://online.securityfocus.com/advisories/4587 EnGarde Secure Linux local kernel vulnerabilities. (SecurityFocus) http://online.securityfocus.com/advisories/4590 Full Zone information disclosure on top level domain name servers vulnerability. (SecuriTeam) http://www.securiteam.com/securitynews/6L00S0A5PG.html TCP/IP firewall bypassing vulnerability. (SecuriTeam) http://www.securiteam.com/securitynews/6M00T0A5PS.html D-Link Access Point DWL-900AP+ B1 version 2.1 and 2.2 TFTP vulnerability. (SecuriTeam) http://www.securiteam.com/securitynews/6N00S0A5RI.html NOCC cross-site scripting vulnerabilities. (SecuriTeam) http://www.securiteam.com/unixfocus/6E00L0A5PK.html kmMail cross-site scripting vulnerability. (SecuriTeam) http://www.securiteam.com/unixfocus/6I00P0A5PO.html paFileDB cross-site scripting vulnerabilities. (SecuriTeam) http://www.securiteam.com/unixfocus/6J00Q0A5PK.html Tools Packet Excalibur is a multi-platform graphical and scriptable network packet engine with extensible text based protocol descriptions. (SecuriTeam) http://www.securiteam.com/tools/6N00I2K5PC.html RPCAP (Remote Packet Capture system) enables users to run a packet capture program (the server) on a target computer, which will sniff the network traffic on that system and uplink the captured packets to another host (the client), where the captured packets can be processed, analyzed and archived. (SourceForge) http://rpcap.sourceforge.net/ NTAL (Network Traffic Analyzer) 0.2.2 is a powerful tool for experimenting with network traffic using the basic concepts of simplicity and flexibility. (SourceForge) http://ntal.sourceforge.net/ DansGuardian 2.4.6.5 is a web content filter which currently runs on Linux, FreeBSD, OpenBSD and Solaris. (DansGuardian) http://dansguardian.org/ N-Stealth v3.5 is a vulnerability assessment tool for Windows which scans webservers for bugs that allow attackers to gain access. (N-Stalker) http://www.nstalker.com/ Stunnel 4.02 is a program that allows for the encryption of arbitrary TCP connections inside SSL (Secure Sockets Layer) available on both Unix and Windows. (Stunnel) http://www.stunnel.org/ The Bastille Hardening System 2.0.1 attempts to "harden" or "tighten" the Linux/Unix operating systems. (Bastille Linux) http://www.bastille-linux.org/ Logrep 1.2.4 is a framework for extraction and presentation of information from several kinds of logfiles. (SourceForge) http://logrep.sourceforge.net/ Rtdump 1.0 is a version of tcpdump modified to capture traffic on remote systems and networks. http://rpcap.sourceforge.net/ Logwatch 4.1 analyzes and reports on UNIX system logs. http://www.logwatch.org/ CONTACT US To add or remove a name from the distribution list, or to modify existing contact information, e-mail: [EMAIL PROTECTED] For urgent matters or to report any incidents, please contact OCIPEP's Emergency Operations Centre at: Phone: (613) 991-7000 Fax: (613) 996-0995 Secure Fax: (613) 991-7094 Email: [EMAIL PROTECTED] For general information, please contact OCIPEP's Communications Division at: Phone: (613) 944-4875 or 1-800-830-3118 Fax: (613) 998-9589 Email: [EMAIL PROTECTED] Web Site: www.ocipep-bpiepc.gc.ca Disclaimer The information in the OCIPEP Daily Brief has been drawn from a variety of external sources. Although OCIPEP makes reasonable efforts to ensure the accuracy, currency and reliability of the content, OCIPEP does not offer any guarantee in that regard. The links provided are solely for the convenience of OCIPEP Daily Brief users. OCIPEP is not responsible for the information found through these links. IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk
