TigerTools.net Hack Attack Chronicles

I know places where computer crime is a lifestyle. Places where your social security and credit card numbers are traded with pokerfaced anonymity. Places where even the most guarded computers are vulnerable to sophisticated hack attacks. These places share a common name--a name composed of alternative vocations such as computer hacking and cracking, software pirating, phone system phreaking, information sniffing, identity spoofing, communication spying, and corporate espionage. The name is the Underground--a virtual locality that hackers call home.

In this issue, we'll explore news articles and advisories that embrace the following questions:

Did you know you may have already downloaded malicious programs that can make the most threatening virus seem harmless?

Did you know by simply browsing the Internet, wherever you go and whatever you do, almost anyone can track your movements while collecting personal information about you?

These programs are designed to allow a remote attacker the ability to secretly control your network server or personal computer. Hackers can collect passwords, access accounts (including e-mail), modify documents, share hard drive volumes, record keystrokes, capture screen shots, and even listen to conversations from your computer's microphone. That said, on the lighter side of darkness, hackers can also easily exploit critical information leaks and collect data right from your web browser.

Most people hardly realize common threats from within company networks to home computers. More than likely, there have been hack attacks unbeknownst to you--in your neighborhood, down your block, next door, even in your home. Remember, if you only think you're safe, you're probably not...

The Five Golden Rules to Internet Security

Although it's not practical to think you can be completely safe from hack attacks, there are ways to fortify against most common threats. Whether you're an avid web master or a seldom surfer, the following policies apply. Be sure to follow these golden rules for a safe web experience.

Use a personal firewall. Personal firewalls typically fortify against many incoming intrusions. Among those most popular and proven include, BlackICE Defender, Norton Firewall 2001, McAfee Firewall, ZoneAlarm Pro, and TigerWatch from Hack Attacks Revealed.
Use antiviral software. Protect your system from downloads and e-mail attachments that contain virii and Trojans with Norton AntiVirus 2001, McAfee VirusScan 5.0, or PC-cillin 2000.
Don't take candy from strangers. Defend your right to privacy with a good cookie manager, such as McAfee Internet Guard Dog.
Encrypt sensitive data. Don't even think about transmitting sensitive information without using encryption software. Among those most user-friendly include, TigerCrypt from Hack Attacks Denied.
Just say "No!" It's none of their business--don't ever reveal personal information such as your passwords, credit card limits, home address, birth date, drivers license and social security numbers.

- John Chirillo

www.TigerTools.net

II.) Top Headlines

Almost No One Rejects Cookies - Study

(Source: Newsbytes)

A new study has found that only about seven out of 1,000 Internet surfers reject cookies, those little data files that Web sites store on PCs to record user preferences and track their activities. Does such a low rejection rate mean that setting a browser to disable cookies is too difficult, or that 99.3 percent of Internet users don't care that their personal information is being passed around the World Wide Web?

The answer to that question, quite predictably, depends on who is asked. Web site audience analysis service Web Side Story found in a review of more than 1 billion page views that cookies were disabled just .68 percent of the time. Web Side Story takes that statistic to mean that consumers are not worried about cookies. Such a minute number of Internet users disabling the data files suggests to Web Side Story chief privacy officer Randy Broberg that there's scant concern about cookies, even if most surfers know little or nothing about them.

"Clearly some people might reject cookies if they knew more about it," said Randy Broberg, general counsel and chief privacy officer for Web Side Story. "I would have thought (the findings) would have been much higher. It sounds like there's not quite the uproar" over cookies that is widely believed. "That's not valid," said privacy advocate Jason Catlett, president and founder of Junkbusters.com. "Even if we take their findings at face value, there's still the fact that when cookies are explained to (computer users), they do not like them." Surfers' options to cut out cookies are limited on browsers, especially Microsoft Explorer, Catlett said. And cookies are required as a "condition of entry" to some Web site, he added. Richard Smith, chief technology officer of the Privacy Foundation, said he was not surprised by the results. "You can't surf without cookies," he said. "Ask anybody who tries to shut off cookies." What annoys Smith is the solution to cookie concerns often included in Web sites' privacy policies - turn them off. "This whole idea that you can somehow turn them off is a false notion," he said. "I'm really upset when a Web site privacy policy says turn off all cookies. That's ludicrous."

The Web Side Story findings seem out of step with what was uncovered in a widely cited Pew Internet & American Life Project study released last summer. Pew found that 84 percent of Internet users in the US are concerned about businesses and strangers getting their personal data online, but 56 percent did not know about cookies. More notably, 10 percent said they took steps to block cookies from their PCs, Pew found. But, Broberg told Newsbytes, Web Side Story's study was based on statistics and was not an opinion poll. Andrew Cervantes, chief operating officer of the Privacy Foundation, said computer users find the process of blocking cookies "too much of a hassle." Microsoft touts its new Explorer 6 browser as having a more flexible cookie management system that gives users more control over their personal information.

Catlett ripped Microsoft for designing the browser to "silently" accept third-party cookies for companies that claim to offer an opt-out from tracking. "The obvious absurdity of this situation is that the average user is unaware of the cookies and the tracking, and would not know where to opt out," Catlett said in a letter to Microsoft last week. "Microsoft's backdown on third-party cookies is deplorable." The billion page views sampled came from the 50 most-visited Web sites in its HitBox Enterprises network of 150,000 sites, said Broberg.

Microsoft Web Browser Flaw Opens Door to Hackers

(Source: NewsFactor)

Microsoft Corp. is advising millions of its Internet Explorer (IE) browser users to immediately patch a security flaw that allows the browser to automatically open HTML e-mail attachments -- an action that could leave computers open to malicious code or other attacks. The flaw, which affects Internet Explorer 5.01 and 5.5, was uncovered by Spanish security expert Juan Carlos Cuartango and was announced by Microsoft Thursday. Left unpatched, it could allow a hacker to remotely control the victim's computer using an HTML-formatted e-mail without the user having to download or open an attachment.

Automatic Surrender
While most viruses or hacker takeovers require a computer user to open an attachment or download a file -- often disguised as an appealing photograph or innocent e-mail -- the newly discovered Internet Explorer browser flaw could result in the automatic launch of a dangerous e-mail attachment.

"Whenever you don't have to do any action to be infected, it's a perilous situation," Vigilinx director of intelligence Jerry Freese told NewsFactor Network. "That's something to worry about." In an advisory statement, Microsoft warned IE users: "This vulnerability could enable an attacker to potentially run a program of (his) choice on the machine of another user. Such a program would be capable of taking any action that the user himself could take on his machine, including adding, changing or deleting data, communicating with web sites, or reformatting the hard drive."

Microsoft also said a hacker would have to persuade the user to browse a hacker-controlled Web site or open the HTML e-mail. However, the user would not have to click on an attachment to allow access.

MIME Time Trouble
The flaw, which does not affect users of Internet Explorer 5.0 using Service Pack 2, involves the browser's processing of Multipurpose Internet Mail Extensions (MIME) encoding. "If an HTML mail contains an executable attachment whose MIME type is incorrectly given as one of several unusual types, a flaw in IE will cause the attachment to be executed without displaying a warning dialogue," said the Microsoft bulletin.

While various e-mail programs control the display of e-mail, they depend on IE to "render" or display HTML e-mails, which basically function like small Web sites sent via e-mail. "Some types of attachments, such as executable files, are inherently dangerous. In these cases, IE should only open the attachment if the user expressly asks to do so, and confirms that he wants to open it," Microsoft said. "The flaw, however, enables this safeguard to be circumvented by specifying an incorrect MIME type in the e-mail." Defending Against Default Microsoft offered a patch to IE users and advised them to download and install it immediately. Alternatively, users could also change their settings to avoid the problem, but the default setting leaves computer users vulnerable.

"The vulnerability could only be exploited if file downloads were enabled in Internet Explorer. However, downloads are enabled by default," said a statement from Microsoft. Freese told NewsFactor that the patch would probably keep exploitation of the vulnerability to a minimum. Still, he said, "It's a cause of concern if a patch is not installed correctly. The amount of potential damage is tempered by that." Cuartango reportedly alerted Microsoft to the flaw, which he called the biggest Internet Explorer vulnerability ever, on February 14th. The Redmond, Washington-based software giant says full documentation of the problem will be posted on its Internet Explorer Web site this weekend.

Widely Used and Abused
The security breach, which comes a day after the discovery of another Internet Explorer security gap that could allow hackers to read e-mail and other files, is magnified by the popularity of Microsoft's Web browser and e-mail software. Security experts say Microsoft products' interoperability with a number of applications makes the system more vulnerable to attack. "Businesses like the fact that Microsoft software can use so many applications, but that's where the real vulnerabilities are," Vigilinx vice president of intelligence Michael Assante told NewsFactor Network.

New Linux worm: 'Adore' makes its appearance
(Source: ZDNET)

It's the third Linux computer pest in almost as many months. The Adore worm is designed to compromise the security of Linux systems and identify them to potential hackers. The third Linux virus in almost as many months hit the Internet this week. Known as the Adore worm, the program is designed to create so-called back doors in the security of Linux systems and send information identifying the compromised systems to four different e-mail addresses hosted on servers inChina and the United States.

"It seems to be a variant of the Ramen worm, said David Dittrich, security administrator for the University of Washington and an expert on digital forensics and hacking tools. The Ramen worm, which used three well-known security flaws to infect systems using the Red Hat distribution of Linux, hit in mid-January and infected an unknown number of computers. The vulnerabilities exploited by Ramen occur in three programs shipped with most Linux distributions and installed by default.

The 1i0n worm, discovered last month by the Systems Administration Networking and Security Institute (SANS), used a fourth flaw to spread among servers that had domain name service, or DNS, software installed.

Finding flaws
The Adore worm--also known as the Red worm--uses all four flaws to automatically break into vulnerable systems. While patches have existed for all the vulnerabilities for at least a few months, most system administrators have not patched their systems, said Matt Fearnow, incident handler for the SANS Global Incident Analysis Center. "The three out of four of these exploits were patched back in August," he said. "We can only get after the system administrators to keep their systems patched."

Once in a system, the Adore worm replaces an application known as PS--used by administrators to list the currently running programs on a system--with a copy that will list all programs except the worm. Then it will send a copy of several key system files to four e-mail addresses: two in the United States and two in China. Each e-mail uses the username adore9000 or adore9001, hence the worm's name. SANS has released a program called "adorefind" that can detect whether a system has been compromised by the worm.

The worm appears to be spreading somewhat quickly and hammering a variety of servers with scans aimed at uncovering telltale signs of the vulnerable programs. On the Bugtraq list moderated by SecurityFocus.com, several administrators raised concerns about aggressive scanning of their systems. "Numerous people are reporting heavy scanning...from a lot of different hosts," wrote one administrator. Another person discovered the worm in one of his Red Hat Linux machines. "One of these (scans) succeeded in breaking into a unpatched Red Hat 6.2 box," he wrote.

Hidden back door
The online vandals who released the worm appear to be using it as a way to compromise a large number of systems. In addition to its other activities, the worm replaces a basic Internet service, known as ICMP (Internet Control Message Protocol), with an almost identical version. The new version of the program opens up a backdoor--bypassing security--whenever it receives the proper command sequence from the Internet. ICMP is typically used to send error information across from machine to machine. After infecting a machine and sending information about the computer through e-mail, the worm waits until 4:02 a.m. and then deletes all its files, except the backdoor.

Naked Wife Virus Strips Down Computers

Last month it was Anna Kournikova. Now the Naked Wife has come to the Internet –- packing a payload that is far more destructive than the Kournikova worm's. The Naked Wife Trojan virus -– which masquerades as a Flash movie of a naked woman -– spreads via Microsoft Outlook and can damage vital system files, rendering an affected computer inoperable, according to security company McAfee.com Corporation.

When run, the worm sends itself to all recipients in a user's Windows Address Book and also attempts to delete all .BMP, .COM, .DLL, .EXE, and .INI files in the WINDOWS and WINDOWS\SYSTEM directories, McAfee.com said. The virus is also known as NAKEDWIFE, W32/Naked@MM and W32.HLLW.JibJab@mm, according to Computer Associates International, Inc.

JibJab Jihad
The virus arrives as an e-mail titled "Fw: Naked Wife" with a message body that reads: "My wife never look like that! ;-) Best Regards, (sender's name here)" and an attachment called "NakedWife.exe." When a user opens the NakedWife.exe file, the virus copies itself to a TEMP directory and displays a Window called "Flash" that reads "JibJab Loading" while it attempts to send itself to other users and destroys system files. Choosing the HELP|ABOUT menu in the "Flash" window displays a message box entitled, "Flash," which reads "You're are now F**KED! (C) 2001 by BGK (Bill Gates Killer)," according to McAfee.com.

Diagnosing the Disease
Users who cannot launch applications; cannot find .BMP, .COM, .DLL, .EXE, and .INI files in the WINDOWS and WINDOWS\SYSTEM directories; or receive e-mail that says they have sent others the NakedWife.exe attachment are likely infected by the virus, McAfee.com said. Those hoping to avoid the Naked Wife -– tempting as she might sound –- can download virus updates from antivirus companies' Web sites.

Avoid 'Stranger' Attachments
Just as in the real world, staying away from unfamiliar attachments can reduce risk. "This is yet another example of a mass mailing threat that can spread easily and rapidly, by fooling computer users into executing the malicious payload," said Ian Hameroff, business manager for antivirus solutions at Computer Associates. "Users should always exercise caution and utilize good judgment when receiving e-mails with attachments." "There's no new technology being employed here, just effective social engineering, I'm sad to say," added David Perry, global education director for network antivirus and security company Trend Micro. "Users really need to learn to think twice before clicking on attachments."

Kournikova Redux
The Anna Kournikova worm, which struck in mid-February, initially posed as an e-mail attachment purporting to include a photograph of the 19-year-old Russian tennis star, currently ranked ninth in the world among women players. The virus did not actually contain a photo. Instead, when a user opened the attachment, the virus spread through the computer's e-mail program, sending itself to all those listed in the computer's e-mail address book. Like previous worm e-mails -- but unlike the malicious Naked Wife bug -- the so-called Anna virus did not harm infected systems. However, it caused traffic jams on e-mail servers and cost companies a bundle in time and energy to clean up the mess it left behind.

III.) Security Advisories

File Globbing Vulnerabilities in Various FTP Servers

(Source: RedHat)

A variety of FTP servers incorrectly manage buffers in a way that can lead to remote intruders executing arbitrary code on the FTP server. The incorrect management of buffers is centered around the return from the glob() function, and may be confused with a related denial-of-service problem. These problems were discovered by the COVERT Labs at PGP Security.

Filename "globbing" is the process of expanding short-hand notation into complete file names. For example, the expression "*.c" (without the quotes) is short-hand notation for "all files ending in ".c" (again, without the quotes). This is commonly used in UNIX shells, in commands such as ls *.c. Globbing also often includes the expansion of certain characters into system-specific paths, such as the expansion of tilde character (~) into the path of the home directory of the user specified to the right of the tilde character. For example, "~foo" expands to the home directory for the user "foo" on the current system. The expressions used in filename globbing are not strictly regular expressions, but they are syntactically similar in many ways.

Full story: here

RedHat Network Time Daemon ntpd has potential remote root exploit

(Source: RedHat)

The Network Time Daemon (xntpd on Red Hat Linux 6.2 and earlier, ntpd on Red Hat Linux 7.0) does not properly check the size of a buffer used to hold incoming data from the network. Potentially, an attacker could gain root access by exploiting this weakness. Potential damage is mitigated by the fact that the Network Time Daemon is not enabled by default. If you are not using network time services, it may not even be installed. As a general rule, Red Hat encourages users to enable only those network services they actually need.

Full story: here

Automatic Execution of Embedded MIME Types

(Source: Cert)

Microsoft Internet Explorer has a vulnerability triggered when parsing MIME parts in a document that allows a malicious agent to execute arbitrary code.

Full Story: here

Exploitation of snmpXdmid
(Source: Cert)

The CERT/CC has received numerous reports indicating that a vulnerability in snmpXdmid is being actively exploited. Exploitation of this vulnerability allows an intruder to gain privileged (root) access to the system.

Full Story: here

Unauthentic "Microsoft corporation" Certificates
(Source: Cert)

On January 29 and 30, 2001, VeriSign, Inc. issues two certificates to an individual fraudulently claiming to be an employee of Microsoft Corporation. Any code signed by these certificates will appear to be legitimately signed by Microsoft when, in fact, it is not. Once accepted, these certificates may allow an attacker to execute malicious code on the user's system.

Full Story: here

New Lion Virus

(Source: eWeek)

Computer security experts have unearthed a new worm that they say is spreading rapidly on the Internet and is capable of changing network settings, stealing passwords and eliminating some security measures, setting up the infected machine for further attacks.

Known as the Lion worm, the virus spreads through an application called "randb," which infects Linux machines running version 8 of the BIND DNS software, one of several iterations that are known to have numerous security vulnerabilities.

Full Story: here

IV.) Critical Software Updates

Windows

Microsoft latest critical security updates:

Internet Explorer Error Reporting
Microsoft virtual machine
Windows IDE Hard Drive Cache Package
Windows Movie Maker Update
Security Update, April 2, 2001
DirectX 8.0a Upgrade

Get updates here: http://windowsupdate.microsoft.com/

Linux

Critical updates: Linux-Mandrake, Debian GNU/Linux, RedHat, LinuxPPC, Corel Linux, Phat Linux, Slackware, SuSE, Stampede Linux, Caldera OpenLinux, Yellow Dog Linux, Linux Router Project, Storm Linux, MKLinux, TurboLinux

Get updates here: http://www.linux.com/getlinux/

V.) Top 10 Network Security Problems (Updated Monthly)

1. Hosts running unnecessary services, e.g., denial of service and anoymous FTP

2. Unpatched, outdated, vulnerable, or default-configured software and firmware

3. Information leakage through service, e.g., SNMP, SMTP, finger, rusers, systat, netstat, Telnet banners, Windows NT TCP 139 SMB (server message block), and zone transfers to non-name server hosts.

4. Misappropriated trust relationships, e.g., rlogin, rsh, rexec

5. Misconfigured firewall or router access control lists

6. Weak Passwords

7. Misconfigured Web servers, e.g., CGI scripts, anonymous FTP, and SMTP

8. Improperly exported file sharing services, e.g., NetWare File Services, NetBIOS

9. Misconfigured or unpatched Windows NT servers

10. Unsecured remote access points

VI.) Monthly Newsletter Contest Winners

Congratulations to March winners of the Dell Notebook, Palm PDA, McAfee Internet Guard Dog, and Secrets & Lies.

Marina
Duane Benedict
Steve Sandgren
Andrea Minor

"Thank you. This is the best birthday present I could have gotten. I'll be checking in with you soon." - PDA Winner - Duane Benedict, Hallstead PA.