TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Copyright 2001 Internet Security Systems (trademark) THE POWER TO PROTECT INTERNET THREAT & SOLUTIONS UPDATE for Nov 8th - Nov 12th, 2001 ISS X-Force Special Operations Group - -------------------------------------- CURRENT THREAT ASSESSMENT & THREAT FORECAST - -------------------------------------- AlertCon 1 Today, Nov 8th, 2001 AlertCon 1 For Nov 9th-12th, 2001 ************* - - We continue to see no specific threats that would justify a heightened state of awareness from what is normally required to stay on top of the habitual, unregulated lawlessness of the Internet; so we remain at AlertCon 1. - - Because the now familiar Nimda.E worm and its previous manifestations continues to impact networks around the world we continue to advise aggressive patching of vulnerable MS OS, especially inside the network. Many networks have been compromised after the mistaken conclusion that since their gateways are protected they are immune from Nimda infestation. This has time and time again proven a miscalculation since there are so many ways to introduce the worm from a trusted source inside the network. The most common form of infection is from a compromised laptop brought into the building and plugging into the network. - - The exploitation of SSH vulnerabilities is also a concern. See solutions below. - - We project AlertCon 1 through mid-day on Monday, Nov 12th, but of course re-assess the threat on a daily basis and changes always occur with little or no notice at odd times of the day and night. - -------------------------------------- SOLUTIONS - -------------------------------------- - - Nimda-E Worm. This worm seeks the same vulnerabilities as earlier versions of Nimda worm so those devices with the proper patches will not be affected. The numbers of alarms we see daily on this worm makes it clear there is still a lot of patching to do. - -- Patch your Win 2K and NT machines from these links: - --- Win 2K <http://www.microsoft.com/windows2000/downloads/critical/q300972/default .asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D30800%26redir ect%3Dno> - --- Win NT <http://www.microsoft.com/ntserver/nts/downloads/critical/q300972/defaul t.asp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D30833%26redi rect%3Dno> - --- Make sure Outlook is patched (MSO 01-020) and to ensure that you have updated your IE Browser to ensure you're running IE 5.01 SP2, IE 5.5 SP2, or IE 6.0 to be sure you're not vulnerable, or apply the MS01-027 patch (which supercedes MS01-020). - - SSH vulnerabilities and exploitation. - -- Review the ISS X-Force advisory <http://xforce.iss.net/alerts/advise100.php> for information regarding the exploitation of SSH CRC32 and the Cisco write-up on the original vulnerability <http://www.cisco.com/warp/public/707/SSH-multiple-pub.html> - -- Verify the patches have been applied to your implementation of SSH and consider limiting port access to just those IP addresses using SSH to support your business requirements. - -- Here are some additional advisories posted for the SSH vulnerabilities: - -- Remote vulnerabilities in OpenSSH <http://linuxtoday.com/news_story.php3?ltsn=2001-10-25-001-20-SC> - -- SSH Secure Shell Authentication Bypass Vulnerability <http://xforce.iss.net/alerts/advise88.php> - -- OpenSSH - Possible to determine password length <http://www.trustix.org/pipermail/tsl-announce/2001-March/000002.html> - ------------------------------------- ATTACK SIGNATURE RANKING - global IDS, midnight - midnight, previous day, % of total - ------------------------------------- Unauthorized Access Attempt 45.83% Protocol Decode 29.57% Denial Of Service 17.16% Pre-Attack Probe 03.96% Suspicious Activity 03.45% Back Door 00.02% - ------------------------------------- TOP TEN ATTACK DESTINATION PORTS - global IDS, midnight - midnight, previous day, % of top ten (ports found at <http://www.iana.org/assignments/port-numbers> - ------------------------------------- 80 (http) 83.70% 25 (smtp) 05.00% 22 (ssh) 02.94% 21 (ftp) 02.18% 69 (tftp) 01.93% 137 (netbios-ns) 01.34% 143 (imap) 01.25% 443 (https) 00.66% 20 (ftp-data) 00.62% 113 (ident-auth) 00.38% - --------------------------------------- VIRUS, TOP 10 and NEW VULNERABILITIES, NEWS UPDATES - --------------------------------------- - - Visit <http://www.iss.net> under 'Global Internet Threat Intelligence Service' - - Go to Sophos <http://www.sophos.com/virusinfo/topten/> for the top ten viruses in October 2001. - --------------------------------------- DEFACEMENT WATCH based on www.alldas.de - --------------------------------------- - - Alldas.de stats show that since April, 2000, the most defaced OS is Windows, with a total of 15,824 defacements reported, for 63% of the total. Although growing in popularity as a target, Linux is a distant second with 4498 defacements reported for 18% of the total. - - Alldas.de reports a total of 42 defacements yesterday, 7 November. Details can be seen at www.alldas.de <http://www.alldas.de> under 'current month'. Of these, six contained messages outside the normal 'gotcha' message from the hacker. Three of these contained hacker propaganda (why we hack) one contained a Mothers Against Drunk Driving message though was apparently not done by anyone acting officially for MADD, and one had a humorous and profane anti-YIHAT message. The only political message of note came from a new group calling itself 'Ghostcr3w' who defaced an Indian site. They defaced the web site of the Pune Provincial/City government and posted a jihad message that was juvenile in appearance with no mention of any group associated with bin Ladin or sympathizers. <http://defaced.alldas.de/mirror/2001/11/07/www.mah.nic.in/> . - --------------------------------------- SOME USEFUL REFERENCES - --------------------------------------- - - We use the resources at the following sites on a routine basis and thought we'd pass them along to you in case there were any here you were unaware of. http://www.arin.net/whois/index.html <http://ciac.llnl.gov/cgi-bin/index/bulletins?k> <http://www.cio.com/knowpulse/jan2001/> <http://www.fedcirc.gov/> <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secu rity/current.asp> <http://www.nipc.gov> <http://www.privacy.org/> <http://www.securitywatch.com/newsforward/default.asp?AID=5868> <http://www.cert.org/tech_tips/home_networks.html#IV-A-6> <http://icat.nist.gov/icat.cfm> <http://www.liemails.com/indexge.htm> <http://www.safemode.org/> <http://www.iwar.org.uk/> <http://www.iana.org/assignments/port-numbers> <http://home.tiscalinet.be/bchicken/trojans/trojanpo.htm> <http://www.incidents.org/> <http://hoaxbusters.ciac.org/> <http://dlis.gseis.ucla.edu/people/pagre/> <http://www.antivirus.com/vinfo/hoaxes/hoax.asp> <http://www.infragard.net/> - --------------------------------------- NOTES, COPYRIGHT NOTICE, and DISCLAIMER - --------------------------------------- NOTE 1: Our web site has this information in more attractive format and graphics available to the public at no cost at www.iss.net <http://www.iss.net> under 'Global Internet Threat Intelligence Service' <https://gtoc.iss.net/secure/whatshot.php> Screen captures (Control/PrtSc) of the site's pages dropped into PowerPoint can be an effective way to communicate various aspects of the Internet threat, e.g. the graph depicting 'AlertCon Trends' <https://gtoc.iss.net/secure/graph.html> NOTE 2: We provide this information on Internet threat metrics, viruses, vulnerabilities, patches, and breaking news, in the spirit of PDD 63, to help security professionals wage the war against Internet threats more effectively. Information in this update derived primarily from global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research, and professional liaison. Other sources as noted. AlertCon 1 reflects the global, malicious, determined, 24 x 7 attacks experienced by all networks. AlertCon 2 means increased vigilance/action recommended due to a specific threat or concern. AlertCon 3 means increased attacks against specific targets or vulnerabilities on a scale that is unusually high, action required. AlertCon 4 reflects an Internet emergency for a target or group of targets whose business continuity may depend on some sort of immediate, decisive action. All summaries cover 24 hours the previous workday, GMT. Monday summaries may cover some weekend activity. Copyright 2001 Internet Security Systems, Inc. Permission is granted for the redistribution of the Internet Threat Update electronically. It is not to be sold or edited in any way without express consent of ISS. Refer comments or questions to [EMAIL PROTECTED] mailto: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Disclaimer: This information is subject to change without notice. Use of this information constitutes acceptance for use in an 'as is' condition. There are no warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. No other use authorized. FOIA Exemption 4. Dennis Dennis Treece Director, Global MSS Special Operations Group Internet Security Systems (ISS) 6303 Barfield Road Atlanta, Georgia 30328 -----BEGIN PGP SIGNATURE----- Version: PGP 6.5 iQA/AwUBO+qyTuOOe/7N9KJeEQIdmQCfTqiliqFnE3bqiN/jCMdtxc3fIR8An0oQ KyMesMvIL5B9pG7cUwWffVWG =IIQF -----END PGP SIGNATURE-----
