September 2004 – Page 6 – CyberSecurity Institute

Virus writers add network sniffer to worm

Posted on September 14, 2004December 30, 2021 by admini

So far there are no reports of SDBot-UH in the wild but the inclusion of selective network sniffing along with keystroke logging features and other backdoor capabilities has security researchers worried.

Sniffers are designed to monitor network traffic. They are widely used for network performance diagnostics but in this instance their function has been turned to malign purposes. Bundling a network sniffer with an auto-propagating worm makes it easier for hackers to harvest usernames and passwords than would otherwise be the case.

The sniffing capabilities of SDBot-UH worm focus on phrases associated with network logins and Paypal accounts. It also tries to steal the CD keys of games, according to an advisory by AV firm Trend Micro.

Patrick Nolan, a security researcher at the Internet Storm Center, warns: “If the Trojans described by Trend can successfully transmit the filter’s packet captures back to the owner, they are going to cause problems well beyond typical bot infestation issues.”

SDBot-UH uses a variety of well-known Microsoft exploits to spread. It also looks for weak usernames and passwords to gain access to target machines. Malicious sniffers can be difficult to detect but Netcraft points to a number of tools such as Sentinel and AntiSniff that can be used to detect sniffers on a network.

http://www.theregister.co.uk/2004/09/14/network_sniffer_worm/

Security downtime to triple

Posted on September 14, 2004December 30, 2021 by admini

According to analyst house Gartner, downtime linked to security problems will rise from five per cent to 15 per cent of all downtime, due to the influx of mobile working technologies and a growing dependence among businesses on the internet and web services. The analyst house has a degree of optimism for how future security will pan out.

John Pescatore, Gartner VP and research fellow, said in a statement that in the next few years changes to operating systems and hardware will help the security effort but in the meantime, IT staff will have to try and use “stopgap approaches to deal with new vulnerabilities associated with unsafe customer, employee and business partner platforms”.

Gartner advises that for companies building their own software, developers should be pushed to put security at the head of their list.

It’s not just in-house tech makers that need a word in their ears — the analysts suggest end users should give vendors grief about tightening up their security procedures too.

http://news.zdnet.co.uk/internet/security/0,39020375,39166536,00.htm

Sun touts tougher security in Solaris 10

Posted on September 14, 2004December 30, 2021 by admini

Paul Sangster, senior Solaris security architect for the Santa Clara, Calif.-based company, touted Solaris 10’s security improvements during a roundtable discussion at Sun’s Burlington, Mass., offices Monday, saying, “Security touches everything we do, and in designing Solaris 10 we made the assumption that the Web server is sloppy” and in need of extra layers of protection. I expect IT administrators will greatly appreciate the N1 grid container zone feature and the user rights management privilege feature,” Sangster said. “These features enable (them) to much more tightly protect their services, even in the face of an attacker exploiting a known hole in some third-party software that was deployed but not yet patched.

He said the N1 grid container technology will allow users to create up to 4,000 secure, fault-isolated software partitions, each with its own IP address, memory space, file area, host name and root password.

Solaris 10 has been in development for two and a half years, and has slowly been made available to customers in recent months.

He added that Linux applications can run unmodified on Solaris.

Weinberg added that the capabilities in Trusted Solaris have been folded into Solaris 10. “Trusted Solaris has been used in government but has been separate from the standard Solaris,” he said. “We started this integration with Solaris 8, and Solaris 10 completes the move.”

James Dobson, system architect for Dartmouth College in Hanover, N.H., talked about the success the institution’s psychology department has had in using a version of Solaris 10. Pointing to the operating system’s improved interoperability, Dobson said, “We use multiple applications and platforms and Solaris 10 is working smoothly with all of these.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1005868,00.html

Metrics Matter

Posted on September 10, 2004December 30, 2021 by admini

If you want your security organization to be supported (or at least tolerated) by management, the department must become a communication station. Avoid subjective interpretations or even anecdotal information; instead, focus on metrics that are objective and indisputable.

As an example, to calculate the impact of spam filtering, the team began counting e-mails the filter rejected. Despite a few user complaints, the metrics showed these were isolated incidents and proved that a great majority of legitimate mail was getting through. This correlation of traffic to outbreaks would later help the IT staff react faster to outbreaks, because they could see worm signs before it spread.

Most infrastructure metrics are designed for gearheads, and the data is not useful to business managers.

Start with the message you want to communicate to management, then figure out which metrics would support that point. A mix of good news and bad news is to be expected–any manager knows that an employee who communicates only great news is probably a liar. If your security reports are always full of sunshine, expect management to become suspicious–and with good reason.

For instance, clients who use desktop-management and antivirus software appreciate being able to perform a “check-in”–that is, every workstation on the network “phones home” to the master console, ensuring each is in compliance with policies, such as pattern updates. This type of report is a good indicator that (a) your software investment is functioning; (b) the majority of users haven’t cleverly disabled the agent so they can download porn and install cute screensavers; and (c) you can, if necessary, invoke additional software functionality.

Indeed, any process you monitor will show that you’re on top of things–particularly if the process is new to your organization, such as vulnerability remediation, server- configuration compliance, unsuccessful login monitoring or log-exception monitoring.

When you must express dollar figures, try to associate some measure of probability with them–IT security is equivalent to risk management, after all.

Ultimately, use caution and be conservative when estimating dollar payback or you risk damaging your credibility.

Finally, in security and in business, timing is everything.

http://www.securitypipeline.com/46200070

Microsoft Sets a New Deadline for XP Service Pack 2

Posted on September 8, 2004December 30, 2021 by admini

Microsoft made available to customers in August a couple of different tools to temporarily disable the delivery of SP2 to users machines via its Windows Update/Automatic Update patching services. A number of customers had requested these tools, claiming they were not ready to take delivery of SP2, as they had not tested SP2 adequately to make sure it did not break their applications. Originally, the tools were set to postpone delivery via Windows Update/Automatic Update for 120 days, starting August 16. But on September 7, Microsoft extended this deadline to 240 days (April 12th 2005).

Microsoft has acknowledged that a number of applications, including several of its own, do not work properly with SP2 unless certain settings are changed. And a number of third-party hardware and software vendors still have yet to provide patches and updates to their products that will allow them to work with SP2.

This fall, Microsoft will be reaching out to this user base via its “Protect Your PC” campaign, in an attempt to make sure as many XP users as possible install the SP2 update.

http://www.microsoft-watch.com/article2/0,1995,1643908,00.asp?kc=MWRSS02129TX1K0000535

Over 3,000 malicious codes detected in August: Trend Micro

Posted on September 7, 2004December 30, 2021 by admini

According to the Trend Micro World Wide Tracking Centre, Sasser was the most prevalent virus in August with 325,409 victims and made up nearly 31 percent of infections in the August top 10 virus list.

Mark Sinclair, Trend Australia’s technical services manager, said both viruses were written by the same programmer; an 18-year old German who was responsible for 77 percent of infections by the top ten viruses in August. “According to Trend Micro statistics, the NetSky series has been listed among the top ten viruses since February, accounting for over half of the top ten viruses between April and July.

Most of the new viruses were variations of previous viruses, with eight new variants of the Worm _rbot series, and nine variants of the Worm_sdbot series. Another possible motive is to build a dormant “dark” network that could be used in the future to perform a large-scale attack against one or more targets.

“Mass mailers usually feature executable file attachments and stripping these attachments at the gateway is a simple method of reducing infection,” Sinclair said. “The authors of Bagle continue to wage war on Netsky; proof of concept viruses are appearing for wireless devices and 64 bit operating systems and phishing/keyboard logging Trojans are becoming more prevalent,” he said. “The potential to see new damaging network worms such as Sasser, SQL Slammer and Blaster is always there.

The top five targets of Internet bank fraud in August were US Bank, Citibank, Suntrust Bank, eBay and Paypal.

http://www.zdnet.com.au/news/security/0,2000061744,39158445,00.htm