Hiyas! This is my new homepage for daily (as near as possible) updates on Computer and Network Security and Vulnerability Information. This site is planned to be a robust source of current (and past) information, designed to be both informative and easy to read. Now, on to the good stuff (comments in italics mine, by the way, and not "officially" part of the published articles).
Similiar in scope to the recently released Internet Explorer vulnerability, which misassigned the local and internet zones, Zone Alarm has a similiar issue, but on a slightly wider scale. In its default configuration, if the first two octets of a visitors IP address are identical to those of the local host, ZoneAlarm will allow the visiting user to access the host with local security settings. This could allow unauthorized access to file shares that would otherwise be unintended. No patches have appeared as yet.
What exactly does this mean to all of those cable and DSL subscribers using Zone Alarm to provide their usual line of defense? Well, if your IP is 66.69.150.123, than *anyone* with an IP beginning with 66.69 can access your machine as a "local" user (which means they have the same basic priviledges as the person sitting *at* the machine (as far as ZA is concerned). This does not bypass any inherent security settings on the OS itself (if NT or Win2K/XP are the OS of choice, that is) but does leave many Win9x users in a bit of a quandry.
Read my lips: Turn off File and Printer Sharing. Now.
This vulnerability had been reported originally in 1999, but so many vendors have failed to take action to fix this problem that the CERT decided to release an advisory on the subject again. Basically, the dtspc service that runs on port 6112 (tcp) is (and has been) vulnerable to a buffer overflow on systems running CDE, and since the service runs as, you guessed it, ROOT, the overflow nets the malicious person root access to the box.
Some of the largest vendors have yet to release a fix for this, namely Sun, who has cancelled support for its OpenWindows desktop in favor of CDE, but has neglected to bring CDE up to par security-wise, instead relying on sysadmins to close tcp port 6112 from remote access.
You *do* have tcp port 6112 closed at your security
perimeter, yes?
Similiar to the dtspc (CDE) vulnerability, this is a rather "old" vulnerability, that is still being widely exploited, which prompted CERT to release an advisory on it as well. It affects a wide range of vendors, as nearly every *nix vendor has optimized their lpd software in some manner, so each needs its own patch.
Again, we have a case of an olf vulnerability getting renewed interest because it is still being widely exploited. The reasons for this exploitation are simple - (1) vendors still have not all released patches for the systems, (2) the sysadmins have neglected to install the patches that *have* been released, (3) the sysadmins have neglected to secure their network properly (by filtering remote access to tcp port 515 to known-trusted IPs).
Port 515 (tcp) *is* being filtered at your security
perimeter, isn't it?
A team of researchers has mapped what they think is the identifiable internet - at least what they can get to. It seems as though certain parts of the internet simply cannot be reached, whether this is by accident or by design is the question. The majority of those subnets unable to be contacted appear to be US military (understandable) and home cable/DSL subscribers (not as understandable).
Many cable/DSL subscribers have "Personal Gateway/
Router" devices, which could preclude contacting their
assigned portion of their domains, and could have
heavily influenced this study. Many of these devices
are used for (pseudo-legal) internet connection
sharing, but also serve a higher purpose - basic
internet security by providing a rudimentary (look it
up) firewall of sorts.
The first paragraph of the article says it all:
"Microsoft and five major computer security companies rounded up the three-day Trusted Computing Forum on Thursday by formally announcing a coalition against full disclosure of computer vulnerability information, ending a week of intense speculation, and immediately sparking controversy."
I was trying to figure out why Microsoft thinks this may be a good idea for them and then it dawned on me. Micro$oft knows large corporations and small governments (ours, for example) are going to continue blindly buying its products because they all work so well together. There is no disputing that if you run purely Microsoft OS with Microsoft applications your network will run rather smoothly (explaining why MCSEs can get hired with little to no experience and can still be productive and successful). Security is left to, well, security staff, and if the security staff doesn't know about a vulnerability until MS tells them, all the better (for MS, that is).
I don't think MS realizes this affects more than just
their bottom line, and is simply causing more animosity
with the security (and anti-security) community, who
generally regard MS in dim view with respect to their
"security focus".
TESO security has had an insider release exploit code to script and auto-exploit the sshd vulnerability released in February 2001. This is their public statement on the issue.
I feel bad for TESO because they are an excellent
source of highly technical information, and this will
only serve to tarnish their image, and the full (or
even limited) disclosure of vulnerabilities movement
in general. Admittedly, what happened was beyond
their control (an insider leaked the code out), but
the damage has been done. This exploit script has
been used in the hacks of many a site, as reported
on Dshield.org (though the underlying cause is really
the sysadmins not patching their software - if you
had a bald tire on your car, would you replace it,
or simply wait for it to blow, which it inevitably
would?).
An excellent article designed to address the security concerns and issues with the SOHO (Small Office/Home Office) market, as well as the general home internet user. This is a very common sense, best-practice (for the scale audience) document presenting its ideas in easy-to-follow format, but not in a condescending manner.
Ah yes, this may sound like old news, or even too
basic for some of us gurus (we are all gurus, right?)
but I look at this as a valuable teaching tool for new
network users, as well as any folks who have recently
been granted the freedom to telecommute (those ARE holes
into *your* network, aren't they?), and need to be gently
reminded of some basic security consciousness and
responsibility.
The SMB Auditing Tool is a password-auditing tool for the Windows and the SMB platform. It makes it possible to exploit the timeout architecture bug in Windows 2000/XP, making it extremely fast in guessing passwords on these platforms. Running a large password file against Windows 2000/XP shows statistics up to 1200 logins/sec. This means that you could run a commonly used English dictionary with 53,000 words against a server under a minute. Supports SMB over NetBIOS and native SMB over TCP port 445. Compiles on Linux, BSD, and Cygwin.
A whole dictionary of passwords in under a minute?
Droooooooool...
You *do* have ports 135-139 and 445 blocked from external
access on your networks, yes?
Dshield.org posts a list of the top 10 reported intruders (as in Hackers - as opposed to someone who merely scanned a network, which would be an Attacker instead). These are IPs that have gained unauthorized access to a computer network.
202.235.92.151 - log.adgnet.or.jp 200.32.3.114 - www.nixonnet.com.ar 133.1.134.101 - en1.rd.center.osaka-u.ac.jp 202.96.209.186 - 202.96.209.186 167.68.124.10 - 167.68.124.10 148.206.74.16 - socrates.uam.mx 132.235.24.185 - vlad.phy.ohiou.edu 200.38.237.11 - 200.38.237.11 172.190.186.109 - ACBEBA6D.ipt.aol.com 134.104.179.162 - 134.104.179.162
If you see any of these IPs in your firewall or IDS
(Intrusion Detection System) logs, and have *not* been
hacked, pat yourself on the back, call yourself lucky,
and check again just to make sure. I know posting a list
with simple hostnames after it is of little value, unless
your logs are easily searchable, but on days when I have
more time (I am a bit rushed today) I will provide a bit
more info for you. You'll have to trust me on this.
I did not hit all my usual sites for information, nor troll through all of my usual newsgroups, nor pour through all of my e-mail, so today has a somewhat limited scope. As I said, it will be a bit of a growing process. It'll get there though.
Link to the archive of past issues