TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 INTERNET THREAT UPDATE for 12-18-2001 ISS X-Force Special Operations Group www.iss.net - Click on 'Current Internet Threat' for more information. ****************************************************** ALERTCON 2 Projected: AlertCon 2 ****************************************************** - - We remain at AlertCon 2. Three vulnerabilities have been found in Internet Explorer and Microsoft has released a cumulative patch, which Microsoft says is a critical security precaution and should be applied immediately. - - The serious vulnerability in the login program present in SysV derived systems (e.g., Sun Solaris, IBM AIX and others) discovered by ISS X-Force continues to be a very real threat and should be addressed accordingly. Remote attackers may use this vulnerability to gain complete control of any vulnerable systems. - - We continue to see new worms and viruses popping up several times a week, and believe that the holiday season will bring out the best/worst in virus and worm writers attempting to utilize social engineering to cause e-mail recipients to open harmful/dangerous executable files located in various forms of religious greetings. What a marvelous time to hide damaging payloads in pictures of Santa. With the mail system being compromised by the anthrax terrorists, e-mails will be the popular mode of sending holiday greetings, replete with onerous attachments. Please be prudent and ensure that your employees are made aware of this. - ------------------------------------------------------ RECOMMENDATIONS - - Regarding the Microsoft IE vulnerabilities - review MS Security advisory MS01-058 and apply the appropriate patch: (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/se curity/bulletin/MS01-058.asp) - - Regarding the multi-vendor Login buffer overflow, in addition to loading the vendor patches below, customers can take several precautions to minimize their risk. Disable default terminal communications services, including Telnet and Rlogin. Install and use Secure Shell (SSH) as a secure alternative. SSH implements encrypted terminal connections, and is designed to replace insecure protocols such as Telnet and Rlogin. - - See the X-Force advisory for details, solutions to the SysV derived login vulnerability. http://xforce.iss.net/alerts/advise105.php - - Caldera has released a patch: http://stage.caldera.com/support/security/ - - IBM has prepared an emergency fix and is available for downloading at: ftp://aix.software.ibm.com/aix/efixes/security - - Patches for Sun customers can be found at: http://sunsolve.sun.com/securitypatch - - Additional information is available in CERT-CC advisory CA 2001-34 http://www.cert.org/advisories/CA-2001-34.html - ------------------------------------------------------ ATTACK SIGNATURE RANKING - global IDS, midnight - midnight, previous day, % of total - ------------------------------------------------------ Unauth Access Attempt 64.49% Protocol Decode 21.68% Denial Of Service 06.70% Suspicious Activity 04.89% Pre-Attack Probe 02.21% Back Door 00.02% - ------------------------------------------------------ TOP TEN ATTACK DESTINATION PORTS - global IDS, midnight - midnight, previous day, % of top ten (ports found at) http://www.networkice.com/Advice/Exploits/Ports/default.htm - ------------------------------------------------------ 80 (http) 82.82% 23 (telnet) 04.57% 25 (smtp) 04.10% 21 (ftp) 03.38% 69 (tftp) 01.62% 137 (netbios-ns) 01.21% 22 (ssh) 00.84% 443 (ssl) 00.69% 12754 (unassigned) 00.44% 6723 (unassigned) 00.33% - ----------------------------------------------------- BACKGROUND, COPYRIGHT NOTICE, and DISCLAIMER - ------------------------------------------------------ Background. We provide this information in the spirit of PDD 63 to help security professionals wage the war against Internet threats more effectively. Information in this update derived primarily from global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research, and professional liaison. Other sources as noted. AlertCon 1 reflects the global, malicious, determined, 24 x 7 attacks experienced by all networks. AlertCon 2 means increased vigilance/action recommended due to a specific threat or concern. AlertCon 3 means increased attacks against specific targets or vulnerabilities on a scale that is unusually high, action required. AlertCon 4 reflects an Internet emergency for a target or group of targets whose business continuity may depend on some sort of immediate, decisive action. All summaries cover 24 hours the previous workday, GMT. Monday summaries may cover some weekend activity. Copyright 2001 Internet Security Systems, Inc. Permission is granted for the redistribution of the Internet Threat Update electronically. It is not to be sold or edited in any way without express consent of ISS. Refer comments or questions to: [EMAIL PROTECTED] or [EMAIL PROTECTED] Disclaimer: This information is subject to change without notice. Use of this information constitutes acceptance for use in an 'as is' condition. There are no warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. No other use authorized. FOIA Exemption 4. Patrick Gray Manager, Internet Threat Intelligence Center X-Force, MSS Special Operations Group Internet Security Systems 6303 Barfield Road Atlanta, GA 30328 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBPB+LwZG41ROSQPncEQJYlACgzeGScIfl3l9Dwwom7hU+/AX/FLMAoL/H Y/3/W+JoeQe7pVoWQMFDtCfT =iL7i -----END PGP SIGNATURE-----
