Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-06-16 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

UK Critical Infrastructure and Business Trojan Attacks (Updated), imap scanning, Opera vulns, Adobe Reader/Acrobat vuln, NIST Control Tool, Mailbag

Published: 2005-06-16
Last Updated: 2005-06-16 23:01:52 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
UK Critical Infrastructure and Business Trojan Attacks


Britains NISCC
has issued "Breaking News" and is "warning that vital computer networks are at risk of attack." "The attackers? aim appears to be covert gathering and transmitting of commercially or economically valuable information." "To learn more see the NISCC briefing Targeted Trojan Email Attacks"

http://www.uniras.gov.uk/niscc/index-en.html

http://www.uniras.gov.uk/niscc/docs/ttea.pdf

UPDATE: Other Governments issue warnings. A principle concern is:

"The subject line and text of the e-mails appear relevant to the recipient?s work, or may be
copied from a previous legitimate e-mail;

"The attachment name and type appear relevant to the text and to the recipient?s work."(1)


(1) Canadian Cyber Incident Response Centre CCIRC

http://www.ocipep.gc.ca/opsprods/info_notes/IN05-001_e.asp
Australian Department of Defence DSD Advisory DA-2005-01

http://www.dsd.gov.au/_lib/pdf_doc/advisories/DA-2005-01.pdf

imap scanning


Port 143/imap has been targeted by a relatively low number of systems that are scanning higher than average numbers of Targets according to DShield data covering the last year. The notable dates are;

Date - - - - Sources -Targets

2005-06-11 - 82 --- 143,714

2005-06-02 - 83 --- 102,212
2005-05-02 - 57 ---- 94,422

2005-04-07 - 68 --- 102,246

There have been multiple imap vulnerabilities (and patches) announced by various vendors over the same time period (and earlier). They can be reviewed at;
FrSIRT "imap" string search results;

http://www.frsirt.com/english/vuln.php?search=imap
And "Thanks" FrSIRT for the site tweak!
Secunia "imap" string search - announcements by date;

http://secunia.com/search/date/?search=imap

Opera Cross Site Scripting and Security Bypass Vulnerabilities
FrSIRT has posted information about three Opera vulnerabilities, described at;

http://www.frsirt.com/english/advisories/2005/0790
Opera Upgrade Links
"First Opera 8 upgrade released today, Oslo, Norway - June 16, 2005"

http://www.opera.com/announcements/en/2005/06/16/
For Mac lovers, "Opera 8 delivers secure browsing to Macintosh - Oslo, Norway - June 16, 2005"
http://www.opera.com/pressreleases/en/2005/06/16/

Verisign's "Internet Security Intelligence Briefing - June 2005" is available here:


http://www.verisign.com/static/030910.pdf Always a great read.

Mailbag - a Security Conference resource and subject matter question

I'll try to post useful answers to the areas of interest expressed in the next submission by the end of the shift.

Gary "was wondering if you could ask the readers of the diary which security conferences they find worthwhile to attend (besides the always educational SANS conferences, of course)? I have some money in the budget for training/conferences and not only was I unable to find a security conference that sounded interesting, I couldn't even find a calendar that listed upcoming conferences by various organizations. Does such a thing exist?"

Adobe Reader and Acrobat 7.0-7.0.1 vulnerability

XML External Entity vulnerability (Adobe Reader and Acrobat 7.0-7.0.1)
From Adobe - "Under certain circumstances, using XML scripts it is possible to discover the existence of local files" and "the impact is minimized due to the fact that the existence of local files can only be discovered if the complete filenames and paths are known in advance by the attacker." Upgrade links are at;

http://www.adobe.com/support/techdocs/331710.html

Miscellaneous

NIST Control Tool
I missed this announcement in April, better late than never, ymmv;
NIST SP 800-53 Database Application

http://csrc.nist.gov/sec-cert/download-800-53database.html

General: The NIST SP 800-53 database application is a FileMaker runtime database solution. It represents the security controls that are organized into families for ease of use in the control selection and specification process. The security control structure consists of three key components: a control section, a supplemental guidance section, and a control enhancements section. The
minimum assurance requirements (i.e., low, moderate, and high) for security controls are applicable to each control. The user can browse the security controls based on various criteria, search for specific control, and export the control to various file types (e.g., tab-separated text file, comma-separated text file, XML, etc.)

Installation:

The application is a self-contained read-only executable and requires at least 50 MB of free disk space. The NIST SP 800-53 database application requires Microsoft Windows 2000 or XP and will not run under Windows 9x. The database application has also been tested with Mac OS X Version 10.3.x.

Patrick Nolan
Keywords:
0 comment(s)
Diary Archives