SANS ISC: OpenSSH 3.9 has just been released, Rumors of new Download.Ject Worm, SEC Warning about Telephone Fraud Scam, My Favorite Quote of the Day

• SANS Site Network
  • Current Site
  • Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

OpenSSH 3.9 has just been released. According to information available regarding this release there are several changes since version 3.8.

* Added new "IdentitiesOnly" option to ssh(1), which specifies that it
should use keys specified in ssh_config, rather than any keys in ssh agent(1)

* Make sshd(8) re-execute itself on accepting a new connection. This
security measure ensures that all execute-time randomisations are
reapplied for each connection rather than once, for the master
process' lifetime. This includes mmap and malloc mappings, shared
library addressing, shared library mapping order, ProPolice and
StackGhost cookies on systems that support such things

* Add strict permission and ownership checks to programs reading
~/.ssh/config NB ssh(1) will now exit instead of trying to process a
config with poor ownership or permissions

* Implemented the ability to pass selected environment variables
between the client and the server. See "AcceptEnv" in sshd_config(5)
and "SendEnv" in ssh_config(5) for details

* Added a "MaxAuthTries" option to sshd(8), allowing control over the
maximum number of authentication attempts permitted per connection

* Added support for cancellation of active remote port forwarding
sessions. This may be performed using the ~C escape character,
see "Escape Characters" in ssh(1) for details

* Many sftp(1) interface improvements, including greatly enhanced "ls"
support and the ability to cancel active transfers using SIGINT (^C)

* Implement session multiplexing: a single ssh(1) connection can now
carry multiple login/command/file transfer sessions. Refer to
the "ControlMaster" and "ControlPath" options in ssh_config(5) for
more information

* The sftp-server has improved support for non-POSIX filesystems (e.g.
FAT)

* Portable OpenSSH: Re-introduce support for PAM password
authentication, in addition to the keyboard-interactive driver. PAM
password authentication is less flexible, and doesn't support pre-
authentication password expiry but runs in-process so Kerberos
tokens, etc are retained

Thanks to Donald Smith for providing us with the following information overview:

Of these 1,2,3,4 and 10 are all security related. With 1,2,3 and 4 being
issues that were considered by many to be minor security flaws in
openssh.

Pam was pulled when there were some issues with pam libraries that led
to a potential vulnerability in openssh.

Portable OpenSSH 3.7.1p2 and newer are not vulnerable to "September 23,
2003: Portable OpenSSH Multiple PAM vulnerabilities", OpenSSH Security
Advisory. (This issue does not affect OpenBSD versions)

http://www.openssh.com/

Rumors of new Download.Ject Worm

We have heard rumors that there maybe a new worm on the loose. Reports have stated that this worm arrives as an innoculous looking instant message on AIM or ICQ which says "My personal home page http://XXXXXXX.X-XXXXXX.XXX/". Once the user clicks on this link Internet Explorer opens a malicious website that infects the user through several IE vulnerabilities such as Object Data, Ibiza CHM and MHTML Redirect.

The most noticeable end-user effects of being infected with this new Download.Ject worm is a modifed Homepage and search pane in the browser. In place of the users ordinary Homepage is a site called TargetSearch and several browser windows displaying adult advertisement and referal links. There are obvious financial motivations behind this worm.

Please let the Handler's know if anyone has received an actual copy of this.

SEC Warning about Telephone Fraud Scam

It appears there is yet another scam trying to take our hard earned dollars from our hands. This time the technology that is being used to scam is the telephone. According to the Securities and Exchange Commission says that the message is designed to sound as if the speaker didn't realize that he or she was leaving the hot tip on the wrong machine. The message is intended to lead you to believe that there is a stock that is going to drastically increase in value and that you could make a huge profit. In reality, the only one making the huge profit will be the scammers. To read the full story and find out how to report this scam should you receive one of these calls see the Securities and Exchange Commission web site.

http://www.sec.gov/investor/pubs/wrongnumberscam.htm

My Favorite Quote of the Day

Thanks to Donald Smith for my favorite quote of the day.

Everyday is virus day.
Do you know where your recovery CDs are?
Did you create them yet?
Deb Hale

Handler On Duty

haled@pionet.net