|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Treece, Dennis (ISS Atlanta) (DTreece
iss.net)Date: Tue Apr 09 2002 - 12:41:54 CDT
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------
INTERNET RISK UPDATE for 04-09-2002
ISS X-Force Internet Threat Intelligence Center
www.iss.net - Click on AlertCon logo for more information.
********************************************
ALERTCON 1
Projected: AlertCon 1 (next 48 hours)
********************************************
ALERTCON 1 - AlertCon 1 reflects the malicious, determined, global,
24 x 7 attacks experienced by all networks. The risk at AlertCon 1 means
that an unprotected computer running common commercial software will be
compromised in a day after connecting it to the Internet.
Vulnerabilities: There are two new vulnerabilities from Microsoft -
1. Opening group policy files for exclusive read blocks policy
application. Affected software: Windows 2000 Server, Windows 2000 Advanced
Server, and Windows 2000 Datacenter Server.
2. Unchecked buffer in the Multiple UNC Provider could enable
code execution. Affected software: NT 4.0 Workstation, NT 4.0 Server, NT
4.0 Server, Enterprise Edition, NT 4.0 Terminal Server Edition, Windows 2000
Professional, Windows 2000 Server, Windows 2000 Advanced Server, and Windows
XP Professional.
VIRUSES/WORMS: APLORE.A is another nuisance worm, like graffiti on a wall.
When the worm is executed it remains in resident memory and sends messages
regarding pornography via Internet Relay Chat (IRC).
Internet Security Systems has released its Internet Risk Impact Summary for
December 22, 2001 through March 21, 2002. Please click on this link
<https://gtoc.iss.net> for the PDF document.
********************************************
RECOMMENDATIONS
********************************************
For the Microsoft Security Bulletins:
<<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/securit
y/bulletin/MS02-016.asp>>
<<http://www.microsoft.com/technet/treeview/default.asp?url=/technet/securit
y/bulletin/MS02-017.asp>>
For information on the W32/Yaha-B worm, please see:
<http://www.sophos.com/virusinfo/analyses/w32yahab.html>
Information regarding viruses and worms please see:
<https://gtoc.iss.net/viruses.php>
********************************************
FACTOID: Financial losses from cyber crimes shot up for the third year in a
row. Ninety percent of respondents detected computer security breaches
within the past 12 months. See the full report at
<http://www.gocsi.com/press/20020407.html>
********************************************
ATTACK SIGNATURE RANKING - global IDS, midnight - midnight, previous
Day, % of total
********************************************
Suspicious Activity 48.26%
Unauthorized Access Attempt 17.06%
Protocol Decode 15.49%
Pre-Attack Probe 14.04%
Denial Of Service 05.13%
Back Door 00.02%
********************************************
TOP TEN ATTACK DESTINATION PORTS - global IDS, midnight - midnight,
previous day, % of top ten (ports found at)
<http://www.networkice.com/Advice/Exploits/Ports/default.htm>
********************************************
80 (http) 53.35%
21 (ftp) 26.60%
161 (SNMP) 08.48%
23 (telnet) 03.67%
69 (tftp) 02.33%
162 (SNMPTrap) 01.91%
25 (smtp) 01.23%
22 (ssh) 00.85%
1500 (VLSI) 00.84%
139 (NetBIOS) 00.75%
Yesterday's port 80 hits are lower than normal but still show better than
half of all our malicious activity coming in through the wide open http
port. Unless the firewall policy is taking this into consideration by adding
additional blocks your firewall is marginalized by all this port 80 traffic.
********************************************
BACKGROUND, COPYRIGHT NOTICE, and DISCLAIMER
********************************************
Background. We provide this information in the spirit of PDD 63 to
help security professionals wage the war against Internet threats
more effectively. Information in this update derived primarily from
global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research,
and professional liaison. Other sources as noted. AlertCon 1 reflects
the global, malicious, determined, 24 x 7 attacks experienced by all
networks. AlertCon 2 means increased vigilance/action recommended due
to a specific threat or concern. AlertCon 3 means increased attacks
against specific targets or vulnerabilities on a scale that is
unusually high, action required. AlertCon 4 reflects an Internet
emergency for a target or group of targets whose business continuity
may depend on some sort of immediate, decisive action. All summaries
cover 24 hours the previous workday, GMT. Monday summaries may cover
some weekend activity.
Copyright 2002 Internet Security Systems, Inc. Permission is granted
for the redistribution of the Internet Threat Update electronically.
It is not to be sold or edited in any way without express consent of
ISS. Refer comments or questions to: pgrayiss.net or dtreeceiss.net
Disclaimer: This information is subject to change without notice. Use
of this information constitutes acceptance for use in an 'as is'
condition. There are no warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information is at the user's own risk.
No other use authorized. FOIA Exemption 4.
Dennis
Dennis Treece
Director,
X-Force Special Operations Group
Internet Security Systems (ISS)
6303 Barfield Road
Atlanta, Georgia 30328
404-236-4065
Cell 404-667-9345
Fax 404-236-3255
Internet Security Systems -- The Power to
Protect
Confidentiality Notice: This message is being sent by a network security
professional. It is intended exclusively for the individual to whom it is
addressed. This communication may contain information that is proprietary,
privileged or confidential.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]