TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Copyright 2001 Internet Security Systems (trademark) THE POWER TO PROTECT INTERNET THREAT & SOLUTIONS UPDATE for Nov 2nd - Nov 5th, 2001 ISS X-Force Special Operations Group - ---------------------------------------- CURRENT THREAT ASSESSMENT & THREAT FORECAST - ---------------------------------------- AlertCon 1 Today, Nov 2nd, 2001 AlertCon 1 For Nov 3rd-5th, 2001 ************* - - We have gone back to AlertCon 1 - normal Internet insecurities, 24 x 7 attacks from all over the world, and general, unregulated chaos. We are projecting AlertCon 1 through mid-day on Monday, Nov 5th. - - Because exploits normally take time to develop traction within the hacker community there is a time lag from the day of publishing which gives the White Hats time to armor themselves. We advise continued work on patching to avoid trouble from the significant SSH vulnerabilities and associated exploits we have highlighted all week. - - Nimda-E and previous versions of the worm are still out there and actively seeking new machines to infect. Patching the vulnerabilities this worm exploits is the only way to keep your network from hosting the zombies that continue to plague the Internet with this malicious code. We applaud the growing movement by commercial ISPs to instruct their customers to either take care of these problems or lose their Internet access. That is possibly the only practical way to impact the home computer population that has high-speed access and high security resistance. Since this type of worm is undoubtedly now the propagation method of choice for malicious code - everything we can do to blunt their effects is welcome. - ------------------------------------- SOLUTIONS - ------------------------------------- - - SSH vulnerabilities and exploitation. - -- Review the ISS X-Force advisory <http://xforce.iss.net/alerts/advise100.php> for information regarding the exploitation of SSH CRC32 and the Cisco write-up on the original vulnerability <http://www.cisco.com/warp/public/707/SSH-multiple-pub.html>. - -- Verify the patches have been applied to your implementation of SSH and consider limiting port access to just those IP addresses using SSH to support your business requirements. - -- Here are some additional advisories posted for the SSH vulnerabilities: - -- Remote vulnerabilities in OpenSSH <http://linuxtoday.com/news_story.php3?ltsn=2001-10-25-001-20-SC> - -- SSH Secure Shell Authentication Bypass Vulnerability <http://xforce.iss.net/alerts/advise88.php> - -- OpenSSH - Possible to determine password length <http://www.trustix.org/pipermail/tsl-announce/2001-March/000002.html> - - Nimda-E Worm. This worm seeks the same vulnerabilities as earlier versions of Nimda worm so those devices with the IIS patch installed will not be affected. The numbers of alarms we see daily on this worm makes it clear there is still a lot of patching to do. - -- Those relying on anti-virus solutions to defend against Nimda will need to pay attention since the strings have changed and until your vendor catches up you may be vulnerable to successful exploitation. - -- Far better to install the IIS and other relevant Microsoft patches. - -- Patch your Win 2K and NT machines from these links: - --- Win 2K <http://www.microsoft.com/windows2000/downloads/critical/q300972/defaul t.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D30800%26redi rect%3Dno> - --- Win NT <http://www.microsoft.com/ntserver/nts/downloads/critical/q300972/defau lt.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D30833%26red irect%3Dno> - --- Make sure Outlook is patched (MSO 01-020) and to ensure that you have updated your IE Browser to ensure you're running IE 5.01 SP2, IE 5.5 SP2, or IE 6.0 to be sure you're not vulnerable, or apply the MS01-027 patch (which supercedes MS01-020). - ------------------------------------- Attack Signature Ranking - global IDS, midnight - midnight, previous day, % of total - ------------------------------------- Protocol Decode 40.80% Unauthorized Access Attempt 40.25% Denial Of Service 10.23% Pre-Attack Probe 05.14% Suspicious Activity 03.57% Back Door 00.01% - ------------------------------------- Top Ten Attack Destination Ports - global IDS, midnight - midnight, previous day, % of top ten (ports found at <http://www.iana.org/assignments/port-numbers> - ------------------------------------- 80 (http) 87.72% 25 (smtp) 04.35% 22 (ssh) 03.00% 21 (ftp) 02.78% 443 (https) 00.50% 113 (ident-auth) 00.38% 143 (imap) 00.38% 139 (netbios-ss) 00.34% 15104 (unassigned) 00.30% 123 (ntp) 00.27% - --------------------------------------- VIRUS, TOP 10 and NEW VULNERABILITIES, NEWS UPDATES - --------------------------------------- - - Visit <http://www.iss.net> under 'Global Internet Threat Intelligence Service' - - According to Sophos <http://www.sophos.com/virusinfo/topten/> the top ten viruses in October 2001 were: 1. W32/Sircam-A 21.7% 2. W32/Nimda-A 17.8% 3. W32/Magistr-B 16.1% 4. W32/Magistr-A 09.2% 5. W32/Hybris-B 06.6% 6. VBS/Kakworm 02.5% 7. UNIX/Sadmind 01.9% 8. W32/Apology-B 01.3% 9. W/32Verona-B 01.2% 10. VBS/Haptime-A 01.0% - --------------------------------------- Defacement Watch based on www.alldas.de <http://www.alldas.de> - --------------------------------------- - - Their stats show that since April, 2000, the most defaced OS is Windows, with a total of 15,645 defacements reported to Alldas.de, for 64% of the total. Although growing in popularity as a target, Linux is a distant second with 4410 defacements reported for 18% of the total. - - Alldas.de reports 31 defacements yesterday. Details can be seen at www.alldas.de <http://www.alldas.de> under 'current month'. Six of the 31 mirrors contained the standard hacker propaganda about the wonderful public service they perform by pointing out all the weak web sites on the Internet. One defacement had an anti-war/anti-U.S. message. The remaining 25 had no political message, just the juvenile, stylized prose these defacements normally contain. Once again, the sites that were defaced bore no obvious relationship to the message - they were likely just the low hanging fruit with easy-to-exploit vulnerabilities. - --------------------------------------- NOTES, COPYRIGHT NOTICE, and DISCLAIMER - --------------------------------------- NOTE 1: Our web site has this information in more attractive format and graphics available to the public at no cost at www.iss.net <http://www.iss.net> under 'Global Internet Threat Intelligence Service' <https://gtoc.iss.net/secure/whatshot.php> Screen captures (Control/PrtSc) of the site's pages dropped into PowerPoint can be an effective way to communicate various aspects of the Internet threat, e.g. the graph depicting 'AlertCon Trends' <https://gtoc.iss.net/secure/graph.html> NOTE 2: We provide this information on Internet threat metrics, viruses, vulnerabilities, patches, and breaking news, in the spirit of PDD 63, to help security professionals wage the war against Internet threats more effectively. Information in this update derived primarily from global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research, and professional liaison. Other sources as noted. AlertCon 1 reflects the global, malicious, determined, 24 x 7 attacks experienced by all networks. AlertCon 2 means increased vigilance/action recommended due to a specific threat or concern. AlertCon 3 means increased attacks against specific targets or vulnerabilities on a scale that is unusually high, action required. AlertCon 4 reflects an Internet emergency for a target or group of targets whose business continuity may depend on some sort of immediate, decisive action. All summaries cover 24 hours the previous workday, GMT. Monday summaries may cover some weekend activity. Copyright 2001 Internet Security Systems, Inc. Permission is granted for the redistribution of the Internet Threat Update electronically. It is not to be sold or edited in any way without express consent of ISS. Refer comments or questions to [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Disclaimer: This information is subject to change without notice. Use of this information constitutes acceptance for use in an 'as is' condition. There are no warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. No other use authorized. FOIA Exemption 4. Dennis Dennis Treece Director, Global MSS Special Operations Group Internet Security Systems (ISS) 6303 Barfield Road Atlanta, Georgia 30328 404-236-4065 -----BEGIN PGP SIGNATURE----- Version: PGP 6.5 iQA/AwUBO+LNzeOOe/7N9KJeEQIL3gCg8FnT39RSXbYtSLLYIogw5U55EjMAoLxu B36UBEICIyCapW/e1CUNojsK =wL23 -----END PGP SIGNATURE-----
