Thanks to Chuck Bianco for forwarding to me the CERT information below.
The information below is published by the
CERT team. I have been reading Tipton
and Krause?s latest security handbook. The new handbook contains articles on hacking and virus detection in the Operations Chapter. The information below on Internet attacks compliments the new security handbook as its changes
focus from traditional operations security issues to Internet based security
issues.
Click on Read More below for full story.
?
-----BEGIN PGP SIGNED
?
CERT Summary CS-2001-02
?
May 29, 2001
?
Each quarter, the CERT Coordination Center (CERT/CC)
issues the CERT Summary to draw attention to the types of attacks reported to
our incident response team, as well as other noteworthy incident and
vulnerability information. The summary includes pointers to sources of
information for dealing with the problems.
?
Past CERT summaries are available from:
?
CERT Summaries
http://www.cert.org/summaries/
?? ______________________________________________________________________
?
Recent Activity
?
Since the last regularly scheduled CERT summary,
issued in February 2001 (CS-2001-01), we have seen a significant increase in
reconnaissance activity, a number of self-propagating worms, and active
exploitation of vulnerabilities in snmpxdmid, BIND and IIS by intruders
?
For more current information on activity being
reported to the CERT/CC, please visit the CERT/CC Current Activity page. The
Current Activity page is a regularly updated summary of the most frequent,
high-impact types of security incidents and vulnerabilities being reported to
the CERT/CC. The information on the Current Activity page is reviewed and
updated as reporting trends change.
?
CERT/CC Current Activity
http://www.cert.org/current/current_activity.html
?
?
sadmind/IIS Worm
?
The CERT/CC has received reports from more than 400
sites affected by a piece of self-propagating malicious code (referred to here
as the sadmind/IIS worm). This worm uses two well-known vulnerabilities to
compromise Solaris systems and deface web pages running on IIS servers. Reports
indicate more than 500 Solaris machines have been compromised by the
sadmind/IIS worm and more than 6000 IIS servers have been defaced. Sites
running either Solaris or IIS are strongly encouraged to review CA-2001-11 and
those running IIS should review the advisories listed below in the "Other
Recent IIS Security Issues" section as well.
?
CERT Advisory CA-2001-11: sadmind/IIS Worm
http://www.cert.org/advisories/CA-2001-11.html
?
?
Other Recent IIS Security Issues
?
The CERT/CC has recently published information on
two new vulnerabilities in IIS. Given the current level of exploitation of IIS
by intruders and the sadmind/IIS worm, the CERT/CC strongly encourages sites to
review the following advisories and take appropriate steps to protect IIS
servers.
?
Superfluous Decoding Vulnerability in IIS
?
A serious vulnerability in Microsoft IIS
may allow remote intruders to execute commands on an IIS web server. This
vulnerability closely resembles a previous vulnerability in IIS that was widely
exploited. The CERT/CC urges IIS administrators to take action to correct this
vulnerability.
?
CERT Advisory CA-2001-12: Superfluous Decoding Vulnerability
in IIS
http://www.cert.org/advisories/CA-2001-12.html
?
?
Buffer Overflow Vulnerability in Microsoft IIS 5.0
?
A vulnerability exists in Microsoft IIS 5.0
running on Windows 2000 that allows a remote intruder to run arbitrary code on
the victim machine, allowing them to gain complete administrative control of
the machine. A proof-of-concept exploit is publicly available for this
vulnerability, which increases the urgency that system administrators apply the
patch.
?
CERT Advisory CA-2001-10: Buffer Overflow
Vulnerability in Microsoft IIS 5.0
http://www.cert.org/advisories/CA-2001-10.html
?
Additional advice on securing IIS web servers is
available from:
?
Microsoft Technet Security Tools
http://www.microsoft.com/technet/security/tools.asp
?
?
Exploitation of snmpXdmid
?
The CERT/CC has received dozens of reports indicating
that a vulnerability in snmpXdmid is being actively exploited Exploitation of
this vulnerability allows an intruder to gain privileged (root) access to the
system.
?
CERT Advisory CA-2001-05: Exploitation of snmpXdmid
http://www.cert.org/advisories/CA-2001-05.html
?
?
Exploitation of BIND Vulnerabilities
?
On January 29, 2001, the CERT/CC published CERT
Advisory CA-2001-02, detailing multiple vulnerabilities in multiple versions of
ISC BIND nameserver software. Two of the vulnerabilities described in the
advisory are still being actively exploited by the intruder community to
compromise systems.
?
CERT Incident Note IN-2001-03: Exploitation of BIND
Vulnerabilities
http://www.cert.org/incident_notes/IN-2001-03.html
?
CERT Advisory CA-2001-02: Multiple Vulnerabilities
in BIND
http://www.cert.org/advisories/CA-2001-02.html
?
The "cheese" Worm
?
The CERT/CC has observed in public and private
reports a recent pattern of activity surrounding probes to TCP port 10008. We
have obtained an artifact called the "cheese" worm which may
contribute to this pattern.
?
CERT Incident Note IN-2001-05: The
"cheese" Worm
http://www.cert.org/incident_notes/IN-2001-05.html
?
Increase in Reconnaissance Activity
?
Over the past several weeks, the CERT/CC
has observed a significant increase in network reconnaissance activity. While
some of this traffic may be attributed to the sadmind/IIS worm or the
"cheese" worm, reports indicate active scanning for known
vulnerabilities in other network services as well. In addition, we have seen a
significant increase in the number of generalized port scans of hosts.
?
In order to minimize exposure to this
activity, the CERT/CC recommends that sites review and apply vendor-supplied
security patches, disable non-critical network services, and actively monitor
system and network logs for unusual activity.
?
?
Statistical Weaknesses in TCP/IP Initial
Sequence Numbers
?
A new vulnerability has been identified which is
present when using random increments to constantly increase TCP ISN values over
time. Systems are vulnerable if they have not incorporated RFC 1948 or
equivalent improvements, or do not use cryptographically secure network
protocols like IPsec.
?
CERT Advisory CA-2001-09: Statistical Weaknesses in
CP/IP Initial Sequence Numbers
http://www.cert.org/advisories/CA-2001-09.html
_________________________________________________________________
?
Collaboration between the CERT Coordination
Center and the Internet Security Alliance
?
Using its standard process for collaborating with
industry organizations, the CERT/CC, as part of the SEI, has entered into an
agreement with the Electronic Industries Alliance, a not-for-profit
organization in Virginia, to support the activity of the Internet Security
Alliance (ISA). ISA is a member organization that is focused on the overall
improvement of Internet security.
?
Internet Security Alliance
http://www.isalliance.org/
?
Frequently Asked Questions (FAQ) about the
collaboration between CERT Coordination Center and the Internet Security
Alliance
http://www.cert.org/faq/certcc_ISA.html
_________________________________________________________________
?
What's New and Updated
?
Since the last CERT Summary, we have published new
and updated
?
Advisories
http://www.cert.org/advisories/
Incident Notes
http://www.cert.org/incident_notes/
CERT/CC Statistics
http://www.cert.org/stats/cert_stats.html
Annual Reports
http://www.cert.org/annual_rpts/
______________________________________________________________________
?
This document is available from:
http://www.cert.org/summaries/CS-2001-02.html
______________________________________________________________________
?
CERT/CC Contact Information
?
Email:?? cert@cert.org
Phone: ? +1
412-268-7090 (24-hour hotline)
Fax: ?????? +1
412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890 U.S.A.
?
CERT personnel answer the hotline 08:00-17:00
EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
?
Using encryption
?
We strongly urge you to encrypt sensitive information
sent by email.
Our public PGP key is available from
?
http://www.cert.org/CERT_PGP.key
?
If you prefer to use DES, please call the CERT
hotline for more information.
?
Getting security information
?
CERT publications and other security information are
available from our web site
?
http://www.cert.org/
?
To subscribe to the CERT mailing list for
advisories and bulletins, send email to majordomo@cert.org. Please include in
the body of your message
?
subscribe cert-advisory
?
"CERT" and "CERT Coordination
Center" are registered in the U.S. Patent and Trademark Office.
______________________________________________________________________
?
NO WARRANTY
Any material furnished by Carnegie Mellon University
and the Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind, either
expressed or implied as to any matter including, but not limited to, warranty
of fitness for a particular purpose or merchantability, exclusivity or results
btained from use of the material. Carnegie Mellon University does not make any
warranty of any kind with respect to freedom from patent, trademark, or
copyright infringement.
_________________________________________________________________
?
Conditions for use, disclaimers, and sponsorship
information
?
Copyright ?2001 Carnegie Mellon University.
?
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
?
iQCVAwUBOxQFvgYcfu8gsZJZAQGhBwQAnOGWyK2i3snaTskm3SvFycSFQCIhatKI
0+UrWPAX4oR5dYcygJwg23/QSuN2deQuLatfJSRKHW+hYKVgJlHxoBED0CPspkhx
ezU47UcqLFKk2QI3Bt3cG22i28qxjpEOZNn325MfrxJg/q2XdUFZcpqkdian5otJ
Lv+z0JyeV/M=
=I/U5
-----END PGP SIGNATURE-----
?
Main Library Area 
COBIT© Standard 
10.2.2 Vs 10.2.7
