TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Copyright 2001 Internet Security Systems (trademark)
THE POWER TO PROTECT

NOTE: The web site that displays this information with attractive
graphics is available to the public at no cost at www.iss.net under
the link "Global Internet Threat Intelligence Service". Screen
captures of the site's pages can be an effective way to communicate
various aspects of the Internet threat, e.g. the graph depicting
"AlertCon Trends".

INTERNET THREAT & SOLUTIONS UPDATE for September 14th - 17th, 2001
ISS X-Force Special Operations Group

- --------------------------------------
CURRENT THREAT ASSESSMENT & THREAT FORECAST
- --------------------------------------

AlertCon 2 Today, September 14th, 2001
AlertCon 2 Projected for September 14th - 17th, 2001

*************

- - We continue to hold at AlertCon 2 today and through mid-day Monday.

- - Our 24 x 7 monitoring of IDS alarms from two Security Operations
Centers in Europe, one in South America, two in North America, and one
in Asia has thus far not resulted in any indicators of a cyber
component to Tuesday's terrorist attacks. We nevertheless think it
prudent to maintain a heightened state of vigilance as a precaution at
this time because of the potential for opportunistic misbehavior in
our networks with so many people understandably focused on the
terrorist attacks in New York and Washington.

- - A new vulnerability released by Cisco indicates that their iCDN 2.0
which uses Secure Socket Layer(SSL)is vulnerable to bogus client
certificates. See the link below under solutions.

- - From the National Infrastructure Protection Center in FBI
Headquarters. Quote: Multiple information security groups are
reporting that e-mail messages may be circulating on the Internet with
virus-infected attachments, which have files names related to the
terrorist events of 11 September. These sources have also stated that
a Visual Basic Script (VBS) file named "wtc.txt.vbs" has been
circulating on Internet Relay Chat (IRC), which is reportedly a
variant of the lifestages.txt.vbs script that first appeared May,
2000. (NIPC
Comment: The NIPC currently does not have information to substantiate
this claim but is working closely with the anti-virus and information
security communities. The NIPC will continue to monitor this claim and
report as warranted). EndQuote

- ---------------------------------------
SOLUTIONS
- ---------------------------------------

- - While physical security concerns are paramount, it is essential to
ensure some eyes are singularly focused on malicious Internet
activity.

- - The tragedy on Tuesday has reminded us of the need to pay attention
to security fundamentals. It may be prudent to use this time of
heightened security awareness to do a top-to-bottom user account
scrub. It is rare to find a network these days that doesn't have at
least a few old or questionable accounts, or ones without out-of-date
or weak passwords. A scrub of who has elevated access and permissions
might also be prudent at this time. If there is going to be a cyber
component to a terrorist attack it may just take place under our noses
from accounts we "think" are legitimate. While you're at it, consider
updating anti-virus signatures and making sure all security patches
are installed.

- - Upgrade Cisco systems using version 3.x of the RSA BSAFE SSL-J
software from 2.0 to 2.0.1 Please review
<<http://www.cisco.com/warp/public/707/SSL-J-pub.html>> for further
details.

- ---------------------------------------
Attack Signatures - global IDS, midnight - midnight, previous day, %
of total
- ---------------------------------------

Unauth Access Attempts 44.04%
Denial Of Service 32.34%
Protocol Decode 09.87%
Pre-Attack Probe 08.83%
Suspicious Activity 04.84%
Back Doors 00.09%

- ---------------------------------------
Top Ten Destination Ports - global IDS, midnight - midnight, previous
day, % of top ten (port assignments found at
<http://www.iana.org/assignments/port-number>
- ---------------------------------------

80 (http) 82.63%
25 (smtp) 05.83%
21 (ftp) 03.73%
143 (imap) 02.76%
69 (tft) 02.12%
53 (dns) 01.28%
443 (https) 00.51%
139 (net bios session svc) 00.47%
123 (ntp) 00.37%
15104 (unassigned) 00.30%

- ---------------------------------------
VULNERABILITIES
- ---------------------------------------

- - Check out the web site at <http://www.iss.net/> Under Global
Internet Threat Intelligence Service.

- ---------------------------------------
MALICIOUS LOGIC
- ---------------------------------------

- - Check out the web site at <http://www.iss.net/> Under Global
Internet Threat Intelligence Service.

- ---------------------------------------
WEB SITE DEFACEMENTS
- ---------------------------------------

- - No update again today. Alldas and Safemode are still down.

- ---------------------------------------
BREAKING NEWS
- ---------------------------------------

- - Check out the web site at <http://www.iss.net/> Under Global
Internet Threat Intelligence Service.

- ---------------------------------------
DISCLAIMER AND COPYRIGHT NOTICE
- ---------------------------------------

We provide this information on Internet threat metrics, viruses,
vulnerabilities, patches, and breaking news, in the spirit of PDD 63,
to help security professionals wage the war against Internet threats
more effectively. Information in this update derived primarily from
global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research,
and professional liaison. Other sources as noted. AlertCon 1 reflects
the global, malicious, determined, 24 x 7 attacks experienced by all
networks. AlertCon 2 means increased vigilance/action recommended due
to a specific threat or concern. AlertCon 3 means increased attacks
against specific targets or vulnerabilities on a scale that is
unusually high, action required. AlertCon 4 reflects an Internet
emergency for a target or group of targets whose business continuity
may depend on some sort of immediate, decisive action. All summaries
cover 24 hours the previous workday, GMT. Monday summaries may cover
some weekend activity.

Copyright 2001 Internet Security Systems, Inc. Permission is granted
for the redistribution of the Internet Threat Update electronically.
It is not to be sold or edited in any way without express consent of
ISS. Refer comments or questions to dtreeceiss.net
<mailto:dtreeceiss.net>. Disclaimer: This information is subject to
change without notice. Use of this information constitutes acceptance
for use in an "as is" condition. There are no warranties with regard
to this information. In no event shall the author be liable for any
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the
user's own risk. No other use authorized. FOIA Exemption 4.

Dennis
Dennis Treece
Director,
Global MSS Special Operations Group
Internet Security Systems (ISS)
6303 Barfield Road
Atlanta, Georgia 30328
404-236-4065
Cell 404-667-9345
Fax 404-236-2626

Internet Security Systems -- The Power to Protect

Confidentiality Notice: This message is being sent by or on behalf of
a network security professional. It is intended exclusively for the
individual to whom it is addressed. This communication may contain
information that is proprietary, privileged or confidential.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5

iQA/AwUBO6IikuOOe/7N9KJeEQJWuwCg7VEZ/tiVH7K9xmIu2Jl+cyXmEDoAoKWe
MjLpWXa70EI7aaqiqH5nLagj
=44qh
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]