BoS: CERT Summary CS-96.05
Rodney Thayer
rodney at sabletech.com
Tue Oct 1 09:19:23 EDT 1996
see the info on LINUX systems below.
>Date: Mon, 30 Sep 1996 17:17:33 -0400 (EDT)
>To: Multiple Recipients of e$pam <e$pam at intertrader.com>
>From: e$pam at intertrader.com (e$pam)
>Reply-To: e$@thumper.vmeng.com
>Errors-To: listmanager at intertrader.com
>X-Comment: To unsubscribe, send an email to e$pam-request at intertrader.com
>X-Comment: containing the command "unsubscribe e$pam"
>Subject: BoS: CERT Summary CS-96.05
>X-orig-from: CERT Advisory <cert-advisory at cert.org> (by way of
rah at shipwright.com
>X-e$pam-source: Various
>
>Forwarded by Robert Hettinga
>
>-----------------------------------------------------------------------
>Date: 24 Sep 1996 21:32:54 GMT
> From: CERT Advisory <cert-advisory at cert.org> (by way of rah at shipwright.com
> (Robert A. Hettinga))
> To: rah at shipwright.com
> Subject: BoS: CERT Summary CS-96.05
> Organization: e$
> Mime-Version: 1.0
> Old-X-Envelope-From: aultja at sch.ge.com Fri Sep 27 05:27:42 1996
> Prev-Resent: "best-of-security at suburbia.net "
> Lines: 294
> Prev-Resent-To: best-of-security at suburbia.net
> Prev-Resent-Date: Thu, 26 Sep 1996 12:08:54 -0400
> Prev-Resent-Message-ID: <5516.843754134 at sch.ge.com>
> Prev-Resent-From: Jim Ault <aultja at sch.ge.com>
> Approved: proff at suburbia.net
> X-Mailing-List: <best-of-security at suburbia.net> archive/latest/416
> X-Loop: best-of-security at suburbia.net
> Precedence: list
> Prev-Resent-Sender: best-of-security-request at suburbia.net
> Path: f4
>
05-Mar-96!news-in.tiac.net!uunet!in1.uu.net!www.nntp.primenet.com!nntp.primenet.
> com!dispatch.news.demon.net!demon!mail2news.demon.co.uk
> Newsgroups: comp.security.announce
> X-NNTP-Posting-User: adm-request at demon.net
>
>
>X-Mail2News-Path:
>
news.demon.net!office.demon.net!gt.demon.co.uk!smtpd);!gt.demon.co.uk!smtpd);!gt
> .demon.co.uk!office.demon.net!pdx1.world.net!suburbia.net
> X-Newsreader: Yet Another NewsWatcher 2.3.0
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> CERT(sm) Summary CS-96.05
> September 24, 1996
>
> The CERT Coordination Center periodically issues the CERT Summary to
> draw attention to the types of attacks currently being reported to our
> Incident Response Team. The summary includes pointers to sources of
> information for dealing with the problems. We also list new or updated
> files that are available for anonymous FTP from
> ftp://info.cert.org/pub/
>
> Past CERT Summaries are available from
> ftp://info.cert.org/pub/cert_summaries/
> - -------------------------------------------------------------------------
> --
>
>
> Clarification to CS-96.04
> - -------------------------
>
> In our previous CERT Summary, we said that the intruder community is
> developing new techniques and tools to analyze programs for potential
> vulnerabilities even in the absence of source code. We did not mean to impl
> y
> that all developers of these techniques in the wider technical community ar
> e
> members of the intruder community, nor that they intend their work to be us
> ed
> by the intruder community.
>
>
> Recent Activity and Trends
> - --------------------------
>
> Since the July CERT Summary, we have noticed these trends in incidents
> reported to us.
>
> 1. Denial of Service Attacks
>
> Instructions for executing denial-of-service attacks and programs to
> implement such attacks have recently been widely distributed. Since
> this information was published, we have noticed a significant and
> rapid increase in the number of denial-of-service attacks executed
> against sites.
>
> To learn more about denial-of-service attacks and how to limit them,
> see
>
> ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding
>
> To monitor and log an attack, you can use a tool such as Argus. For
> more information regarding Argus, see
>
> ftp://info.cert.org/pub/tech_tips/security_tools
>
>
> 2. Continuing Linux Exploitations
>
> We continue to see incidents in which Linux machines are the victims
> of break-ins leading to root compromises. In many of these incidents,
> the systems were misconfigured and/or the intruders exploited
> well-known vulnerabilities for which CERT advisories have been
> published.
>
> If you are running Linux, we strongly urge you to keep up to date with
> patches and security workarounds. We also recommend that you review
>
> ftp://info.cert.org/pub/cert_advisories/CA-94:01.network.monitoring.attac
> ks
> ftp://info.cert.org/pub/tech_tips/root_compromise
>
> Further, you may want to monitor the Linux newsgroups and mailing
> lists for security patches and workarounds. More information can be
> found at
>
> http://bach.cis.temple.edu/linux/linux-security/
>
>
> 3. PHF Exploits
>
> At least weekly, and often daily, we see reports of password files
> being obtained illegally by intruders who have exploited a
> vulnerability in the PHF cgi-bin script. The script is installed by
> default with several implementations of httpd servers, and it contains
> a weakness that allows intruders to retrieve the password file for the
> machine running the httpd server. The vulnerability is described in
>
> ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code
>
> Once the intruders retrieve the password file, they may attempt to
> crack the passwords found in the file. For information about
> protecting your password files, please see
>
> ftp://info.cert.org/pub/tech_tips/passwd_file_protection
>
>
> 4. Software Piracy
>
> We have received frequent reports regarding software piracy since the
> last CERT Summary was issued. Although software piracy is beyond the
> scope of the mission of the CERT Coordination Center, it is often
> associated with compromised hosts or accounts because intruders
> sometimes use compromised hosts to distribute pirated software. News
> of illegal collections of software circulates quickly within the
> underground community, which may focus unwanted attention on a site
> used for software piracy.
>
> We encourage you to periodically check your systems for signs of
> software piracy. To learn more, please examine our relevant tech tips:
>
> ftp://info.cert.org/pub/tech_tips/anonymous_ftp_abuses
> ftp://info.cert.org/pub/tech_tips/anonymous_ftp_config
>
> To learn more about detecting and preventing security breaches, please see
>
> ftp://info.cert.org/pub/tech_tips/intruder_detection_checklist
>
>
>
> - ----------------------------------
> What's New in the CERT FTP Archive
> - ----------------------------------
> We have made the following changes since the last CERT Summary (July 23,
> 1996).
>
> * README Files Incorporated into Advisories
>
> As of August 30, 1996, we no longer put advisory updates into README files.
> We
> now revise the advisories themselves. In addition, we have updated past
> advisories with information from their README files. We urge you to check
> advisories regularly for updates that relate to your site.
>
> * New Additions
>
> ftp://info.cert.org/pub/cert_advisories/
>
> CA-96.14.rdist_vul
> CA-96.15.Solaris_KCMS_vul
> CA-96.16.Solaris_admintool_vul
> CA-96.17.Solaris_vold_vul
> CA-96.18.fm_fls
> CA-96.19.expreserve
> CA-96.20.sendmail_vul
> CA-96.21.tcp_syn_flooding
>
> ftp://info.cert.org/pub/cert_bulletins/
>
> VB-96.12.freebsd
> VB-96.13.hp
> VB-96.14.sgi
> VB-96.15.sco
> VB-96.16.transarc
>
> ftp://info.cert.org/pub/latest_sw_versions
>
> swatch
>
> ftp://info.cert.org/pub/tech_tips
>
> UNIX_configuration_guidelines These replace the security_info fil
> e
> intruder_detection_checklist (the CERT Security Checklist).
> security_tools
>
> ftp://info.cert.org/pub/vendors/
>
> hp/HPSBUX9607-033 Added Hewlett-Packard bulletin abou
> t a
> security vulnerability in expreserv
> e.
>
>
>
> * Updated Files
>
> ftp://info.cert.org/pub/cert_advisories/
>
> CA-96.02.bind In the appendix, updated Sun
> Microsystems, Inc. patch informatio
> n.
> In section I, added information abo
> ut
> the next release of bind and the
> IsValid program.
>
> CA-96.08.pcnfsd Updated URL for IBM Corporation,
> updated Hewlett-Packard Company pat
> ch
> information, and modified NEC
> Corporation patch information.
>
> CA-96.09.rpc.statd Updated URL for IBM Corporation,
> removed a workaround for SunOS 4.x
> (patches now available), updated
> information on Hewlett-Packard
> Company, and added patch informatio
> n
> for NEC Corporation. Also updated
> opening paragraph.
>
> CA-96.14.rdist_vul In Appendix A, added note under
> Silicon Graphics, Inc. about using
> the
> find command, updated the
> Hewlett-Packard Company entry, adde
> d
> information about Digital Equipment
> Corporation, and added an IBM
> Corporation URL.
>
> CA-96.15.Solaris_KCMS_vul In Introduction, added information
> about Solaris 2.5.1.
>
> CA-96.18.fm_fls Added vendor information to Appendi
> x A.
> Added Section III.B, which provides
> another possible solution to the
> problem.
>
> CA-96.19.expreserve In Appendix A, added information fo
> r
> Silicon Graphics Inc. and Sun
> Microsystems, Inc.
>
> CA-96.20.sendmail_vul Added to Sec. III.B instructions on
> configuring sendmail at sites that
> use
> '&' in the gecos filed of /etc/pass
> wd.
> Added to Sec. III.C a note on uid f
> or
> "mailnull" user. In the appendix, a
> dded
> information from FreeBSD, Inc. and
> Berkeley Software Design, Inc. (BSD
> I).
>
> ftp://info.cert.org/pub/FIRST
>
> first-contacts
>
> ftp://info.cert.org/pub/latest_sw_versions
>
> rdist-patch-status Updated information for
> Hewlett-Packard Company and NeXT
> Software, Inc. information. Updated
> rdist version information in
> Section II.G.
> sendmail
>
>
> ftp://info.cert.org/pub/tech_tips
>
> root_compromise
>
>
>
> - -------------------------------------------------------------------------
> --
> How to Contact the CERT Coordination Center
>
> Email cert at cert.org
>
> Phone +1 412-268-7090 (24-hour hotline)
> CERT personnel answer 8:30-5:00 p.m. EST
> (GMT-5)/EDT(GMT-4), and are on call for
> emergencies during other hours.
>
> Fax +1 412-268-6989
>
> Postal address
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> USA
>
> To be added to our mailing list for CERT advisories and bulletins, send you
> r
> email address to
> cert-advisory-request at cert.org
>
> CERT advisories and bulletins are posted on the USENET news group
> comp.security.announce
>
> CERT publications, information about FIRST representatives, and other
> security-related information are available for anonymous FTP from
> http://www.cert.org/
> ftp://info.cert.org/pub/
>
> If you wish to send sensitive incident or vulnerability information to CERT
> staff by electronic mail, we strongly advise you to encrypt your message.
> We can support a shared DES key or PGP. Contact the CERT staff for more
> information.
>
> Location of CERT PGP key
> ftp://info.cert.org/pub/CERT_PGP.key
>
> - -------------------------------------------------------------------------
> --
> Copyright 1996 Carnegie Mellon University
> This material may be reproduced and distributed without permission provided
> it is used for noncommercial purposes and credit is given to the CERT
> Coordination Center.
>
> CERT is a service mark of Carnegie Mellon University.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQCVAwUBMkhCfHVP+x0t4w7BAQFR5gQAtYvbKLJAbTzfRizblM9mbl/4oLfnsqdQ
> HcX8KKDNAtVd2DWKGEsq7U7v9w8KyzDtVpRFba8VSsVmpzixzxnbZSifwyfkcuX9
> x2xbQ1SVWBjep399HkbYtS0Y3C0RdCo9p/uxdB5/GkZqD3NMdPoBvFf+j/H6376w
> tDcheNKNobk=
> =DZgd
> -----END PGP SIGNATURE-----
>
>
>
>--------------------------------------------------
>The e$ lists are brought to you by:
>
>Take Your Business Online with Intertrader Ltd, Edinburgh, U.K.
>Visit http://www.intertrader.com or email info at intertrader.com
>
>Making Commerce Convenient (tm) - Oki Advanced Products - Marlboro, MA
>Value-Checker(tm) smart card reader= http://www.oki.com/products/vc.html
>
>Where people, networks and money come together: Consult Hyperion
>http://www.hyperion.co.uk info at hyperion.co.uk
>
>See your name here. Be a charter sponsor for e$pam, e$, and Ne$ws!
>See http://thumper.vmeng.com/pub/rah/ or e-mail rah at shipwright.com
>for details...
>-------------------------------------------------
>
>
Rodney Thayer <rodney at sabletech.com> +1 617 332 7292
Sable Technology Corp, 246 Walnut St., Newton MA 02160 USA
Fax: +1 617 332 7970 http://www.shore.net/~sable
"Developers of communications software"
More information about the Discuss
mailing list