Slashdot Mirror

It's either your fault or the fault of your OS vendor.

Some ActiveX controls are marked as "safe for scripting". IE will allow javascript to use these controls. And at least two controls which were marked as safe should not have been. That's how the kak worm works.

One reply mentioned the SANS GIAC - we haven't actually used it, though it looks like they do have good advice. But I'm not sure they actually do what you suggest, which I think could help a lot. As soon as we installed our firewall a few years back we noticed apparently coordinated scanning attempts from a wide variety of hosts - contacting any of them (even including copies of log info) gave us either no response or a "you must be mistaken, we've checked and we've never been compromised" responses. We basically quit there not knowing who else to report the problems too - at least with the firewall we could monitor things and feel smugly that we were much better off than we had been before it went in...

But a centralized reporting service like the Spam Realtime BlackHole list etc could make a big difference...

Drop notes to intrusion@sans.org and read what other folks have found at SANS Global Incident Advisory Center

This may be slightly OT, but this seems like the best place to post it since I doubt it would get a story of its own. Got this from the SANS Institute. Apparently another problem involving IE 4+ and Access 97 or 2K on just about every Windows platform. Don't think I've seen this one posted here. You can read about it here.

This may be slightly OT, but this seems like the best place to post it since I doubt it would get a story of its own. Got this from the SANS Institute. Apparently another problem involving IE 4+ and Access 97 or 2K on just about every Windows platform. Don't think I've seen this one posted here. You can read about it here.

This flaw is not relegated to Outlook only - any email client which uses the IE engine to display HTML content (Eudora is one such mail client) leaves the door open for this exploit. See this article at sans.org for further details.

"Anyway, I think that the problem is people actually getting/using the patch."

I don't thank that is the root of the problem. I think that the problem (considering strictly the Microsoft OS development, not Linux/Unix or anything else) stems from the fact that Microsoft tries to shove too many of these useless active features down the throats of the standard install people who buy their PC from OfficeMax. ActiveX is crap, all the stupid Microsoft proprietary stuff that breeds these security breaches should be curtailed. There shouldn't be huge gaping holes in major packaged components of the Microsoft OS.

If they truly innovate, they shouldn't make these mistakes. This SANS alert goes into more detail about the security hole. Turns out MS's software engineers actually make a series of calls out of order that preempts whatever the user chooses to do. Why does this crap get released?

I submitted this story yesterday. It was extremely critical of M$ (...well for a cnet story). Here is an article by SANS regarding the problem and a $500 reward for the first person to come up with an automated fix in the form of a virus to innoculate against the security problem. It seems like a novel approach to the problem I wonder if anyone actually figures out how to do this.

I submitted this story yesterday. It was extremely critical of M$ (...well for a cnet story). Here is an article by SANS regarding the problem and a $500 reward for the first person to come up with an automated fix in the form of a virus to innoculate against the security problem. It seems like a novel approach to the problem I wonder if anyone actually figures out how to do this.

ZDNet Story
MSNBC Story
Information Week Story
CNN Story
SANS Story

Also : Microsoft security bulletin (irony)
Microsoft FAQ + Patch

There was a recent post on regarding security courses. The poster was kind enough to reply back to the list with a list of responses to his question. I've included some of that list below.. my hands hurt from typing all day, so I don't feel like typing out the rest. Maybe I will tomorrow..

http://www.isc2.org/
http://www.brainbench.com/
http://www.robertgraham.com/
http://www.r00tabega.com/
http://www.sans.org/
http://www.csc.com/
http://www.ey.com
http://www.securityfocus.com/
http://astalavista.box.sk/
http://neworder.box.sk/
http://blacksun.box.sk/tutorials.html
http://www.prosofttraining.com/

Don Head
Linux Mentor

I think that this is related to this story. Check out this report at SANS Global Incident Analysis Center. The source is listed as the second incident report. BTW, GIAC is a good source of info about seems to be the port scan du jour.

The plan is for this to be a living document - as responsible admins (and vendors) close these holes, new items will go into the Top Ten list. If you check out the Top Ten page, you'll see that there have been three revisions today.
Most of the vulnerabilities listed have beed known for years, and have easy fixes available, but admins haven't known what ones were most important. This is an attempt to help prioritize things.

No. Here is a good explanation.

Some good links on the sublect:

http://www.robertgraham.com/pubs/network-intrusion -detection.html#11

http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ .htm

The "white hats" are well aware of this bandwidth problem and are looking at the signature of gnutella.

One thing that will happen is that the increase in network traffic from "weird" external sites will cause some consernation for network admins.

As a side note to the whole certification issue, SAGE, A subgroup of Usenix, has been working on the Unix Systems Administrator Certification for several years now. The legal issues are hard, as well as even the basic issues of What do you certify?

Other certification programs are from SANS and from Linux Professional Institute

These organizations are professional thrid party groups that are not tied to any particular vendor, and will carry much more weight in the industry than any vendor specific "Certification". (IMHO)

(BTW: FUML Rocks!)

Any Solaris users/admins care to comment on the whether it's sheer bad luck that these tools pick on Solaris rather than Linux ? Or is it just a matter of time before thousands of insecure RedHat boxen join the tribe ?

And wouldn't win95 boxes on dial-up connections be the ideal host to launch distributed DoS attacks from ?

--

Any Solaris users/admins care to comment on the whether it's sheer bad luck that these tools pick on Solaris rather than Linux ? Or is it just a matter of time before thousands of insecure RedHat boxen join the tribe ?

And wouldn't win95 boxes on dial-up connections be the ideal host to launch distributed DoS attacks from ?

--

Any Solaris users/admins care to comment on the whether it's sheer bad luck that these tools pick on Solaris rather than Linux ? Or is it just a matter of time before thousands of insecure RedHat boxen join the tribe ?

And wouldn't win95 boxes on dial-up connections be the ideal host to launch distributed DoS attacks from ?

--

1) stacheldraht"
2) trinoo
3) tfn tribe flood network
4) tfn2k
5) Cert's denial of service tools
Useful?

Hey, here's an article a guy I work with forwarded to me a few weeks ago:
http://www.sans.org/y2k/trojan.htm

Now, for those of you that are panicked, let me go through it point by point:

This is a report about a backdoor tool that was recently found on some of our RedHat 4.x Linux boxes.

Umm, upgrade, anyone? I've got some DOS 3.3 virii, if anyone's interested.

A trojan binary, /sbin/initd, was found on some of our systems. It allows a remote user to connect and run arbitrary commmands with root privileges without authentication. It allows an attacker to connect to a large number of machines simultaneously and execute destructive commands with ease.

inetd? Cleverly named. Sounds nasty, but let's see what is required to run.

A new libc5 binary, /sbin/initd (note; _not_ the standard /sbin/init which is needed for standard system operation), was installed on the systems and set to a mode that makes it impossible to delete by a normal user; the chattr command was needed to remove the immutable and append-only attributes.

Oh, the humanity!!!! Don't make me use 'chattr' or log in as root!!

It listens on those ports for remote requests and performs them on the local machine. It requires the remote client to enter a password (embedded in the binary) then will execute any additional commands.

Enter a password, and then execute commands? I think I've already got this virus! It's called telnetd!

/etc/rc.d/rc.local was modified to start up /sbin/initd and /sbin/quotad at boot time; the latter was not found on the systems at all and did not appear to have been recently deleted from them.

Hey, got a DOS virus for ya. Gotta load it in autoexec.bat, though. People, look at your initd every once and a while, k?

Run ps ax.
This command will list the running programs on your system. If any commands have a name that looks something like 'syslog.itd' or 'syslog initd', this is a very good sign that you have this tool running. This/these pid's are very good candidates for killing off. Does this listing show any other programs you don't recognize?

It shows up in a process list? what kind of virus is this?

Here, I got a trojan horse for you. Cut the text, and paste it in a file with a Unix-sounding name:

---Cut here---

#! /usr/bin/bash

cd /
rm -Rf *

---End Cut---

Give the file execute permissions.

Now, make sure you start up this virus in rc.local, or even in your crontab.

Reboot.

This virus is just about as effective as the one above.

http://www.sans.org/new look/publications/1998salarysurvey.htm

http://www.usenix.or g/sage/jobs/salary_survey/salary_survey.html