[INFOCON] - OCIPEP AV02-047 Trojan Horse: tcpdump and libpcapDistributions
-Original Message- From: Opscen (OCIPEP / GEOCC) [mailto:Opscen@;OCIPEP-BPIEPC.GC.CA] Sent: 14 November 2002 00:57 To: OCIPEP EXTERNAL DISTRIBUTION LISTS Subject: AV02-047 Trojan Horse: tcpdump and libpcap Distributions Importance: High THE OFFICE OF CRITICAL INFRASTRUCTURE PROTECTION AND EMERGENCY PREPAREDNESS * ADVISORY * Number: AV02-047 Date: 13 November 2002 *** Trojan Horse: tcpdump and libpcap Distributions *** PURPOSE This advisory brings attention to the CERT/CC ADVISORY CA-2002-30, with reports that several of the released source code distribution packages of tcpdump, a network sniffer, and libpcap, a packet acquisition library, were modified by an intruder and contain a Trojan horse. ASSESSMENT The malicious code runs when the affected tcpdump source code is compiled. The Trojan horse contains a fixed host and a fixed IP address embedded in the code. The intruder operating from or impersonating the fixed remote address could gain unauthorised remote access with privileges of the user who compiled the source code. SUGGESTED ACTION It is recommend that a copy of the source code be attained from a trusted site. Please refer to http://www.cert.org/advisories/CA-2002-30.html for further details CONTACT US For urgent matters or to report any incidents, please contact OCIPEP's Emergency Operations Centre at: Phone: (613) 991-7000 Fax:(613) 996-0995 Secure Fax: (613) 991-7094 Email: [EMAIL PROTECTED] For general information, please contact OCIPEP's Communications Division at: Phone: (613) 944-4875 or 1-800-830-3118 Fax: (613) 998-9589 Email: [EMAIL PROTECTED] Web Site: www.ocipep-bpiepc.gc.ca NOTICE TO READERS When the situation warrants, OCIPEP issues Advisories to communicate information about potential, imminent or actual threats, vulnerabilities or incidents assessed by OCIPEP as limited in scope but having possible impact on the Government of Canada or other sectors of Canada's critical infrastructure. Recipients are encouraged to consider the real or possible impact on their organization of the information presented in the Advisory, and to take appropriate action. The information in this OCIPEP Advisory has been drawn from a from a variety of external sources. Although OCIPEP makes reasonable efforts to ensure the accuracy, currency and reliability of the content, OCIPEP does not offer any guarantee in that regard. Unauthorized use of computer systems and mischief in relation to data are serious Criminal Code offences in Canada. Upon conviction of an indictable offence, an individual is liable to imprisonment for a term not to exceed ten years. Any suspected criminal activity should be reported to local law enforcement organizations. The RCMP National Operations Centre (NOC) provides a 24/7 service to receive such reports or to redirect callers to local law enforcement organizations. The NOC can be reached at (613) 993-4460. National security concerns should be reported to the Canadian Security Intelligence Service (CSIS). == LE BUREAU DE LA PROTECTION DES INFRASTRUCTURES ESSENTIELLES ET DE LA PROTECTION CIVILE AVIS DE SÉCURITÉ Numéro: AV02-047 Date: 13 novembre 2002 ** Cheval de Troie : distributions tcpdump et libpcap ** BUT Cet avis attire votre attention sur l'avis de sécurité CERT/CC ADVISORY CA-2002-30 qui signale que plusieurs distributions de codes sources divulgués des progiciels tcpdump, un programme renifleur pour réseaux, et libpcap, une bibliothèque d'acquisition de paquets, ont été modifiées par un intrus et contiennent un Cheval de Troie. ÉVALUATION Le code malicieux se met en marche lorsque le code source tcpdump concerné est compilé. Le Cheval de Troie contient une adresse Internet et une adresse IP fixes enfouies dans le code. L'intrus qui exploite ou qui se fait passer pour l'adresse Internet fixe pourrait obtenir un accès à distance non autorisé en utilisant les privilèges d'accès de l'usager qui a compilé le code source. MESURE PROPOSÉE Il est recommandé d'obtenir une copie du code source d'un site de confiance. Pour de plus amples renseignements, veuillez consulter http://www.cert.org/advisories/CA-2002-30.html (en anglais seulement). COMMENT COMMUNIQUER AVEC NOUS En cas de questions urgentes, ou pour signaler des incidents, veuillez communiquer avec le Centre des opérations d'urgence du BPIEPC au : Téléphone :(613) 991-7000 Télécopieur : (613) 996-0995 Télécopieur sécuritaire : (613) 991-7094 Courriel : [EMAIL PROTECTED] Pour obtenir des renseignements généraux, veuillez communiquer avec la Division des communications du BPIEPC au :
[INFOCON] - NCIX Report: Espionage Against the United States byAmerican Citizens 1947-2001
(NCIX is the Office of the National Counterintelligence Executive. WEN) -Original Message- From: @ncix.gov] Sent: 13 November 2002 12:34 Subject: NCIX WEB SITE UPDATE ADVISORY #20-2002 Dear Friends and Colleagues: A Defense Personnel Security Research Center (PERSEREC) report entitled Espionage Against the United States by American Citizens 1947-2001 may be viewed by linking to http://www.ncix.gov/news/index.html . The report is based on an unclassified database of 150 individuals involved in espionage that is maintained at PERSEREC. Any questions regarding this 135 page report should be directed to PERSEREC at [EMAIL PROTECTED] IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk
[INFOCON] - News 11/13/02
--- [2] President Bush Pushes for Homeland Security Department Remarks by the President at District of Columbia Metropolitan Police Operations Center District of Columbia Metropolitan Police Operations Center Washington, D.C. 10:24 A.M. EST THE PRESIDENT: Thank you all. Please be seated. Thanks a lot. I want you to note, the Mayor said I made him a senior advisor. (Laughter.) Mr. Mayor, you're doing a great job for the city of Washington, D.C. I'm honored that I'm living in your neighborhood. And as I told a lot of the folks who I had the honor of meeting just a while ago at the Emergency Operations Center, I feel safe living here. And so does my family. And so do a lot of families, thanks to the dedication and hard work of people on the front line of making sure that this city is buttoned up, dealing with the threats we face. http://www.whitehouse.gov/news/releases/2002/11/20021112-1.html [3] Bush wins on homeland security bill By Joseph Curl and Audrey Hudson THE WASHINGTON TIMES President Bush, capitalizing on the Republicans' historic victory in last week's congressional elections, yesterday won the battle with the Democrat-controlled Senate over his plan to create a Department of Homeland Security. Senate Democrats led by John B. Breaux of Louisiana and Ben Nelson of Nebraska signed off on a White House-backed proposal, which is expected to pass overwhelmingly in the House and Senate, where it has been bogged down for weeks. http://www.washtimes.com/national/20021113-14803141.htm [4] Comment: An ally in the fight for safer IT Mark Street, IT Week [08-11-2002] The narrow emphasis on return on investment (ROI) to justify spending is getting to be extremely counterproductive. This approach discourages risk-taking, because it is hard to make financial forecasts for projects that have uncertainty attached to them. It is little wonder that most IT directors are loath to champion new, potentially business-transforming initiatives given the fact that they will shoulder most of the blame if things go wrong. http://www.vnunet.com/Analysis/1136696 (I would be really surprised if he were dead as then he would have been a martyr and there would have been a media blitz in some extremist circle. To see how difficult it is to hunt someone down just read Mark Bowden book 'Killing Pablo'. WEN) [5] Purported Bin Laden Tape Lauds Bali, Moscow Attacks A voice attributed to Osama bin Laden praises recent attacks on Western targets. (File Photo/AP) By Rajiv Chandrasekaran Washington Post Foreign Service Wednesday, November 13, 2002; Page A01 CAIRO, Nov. 12 -- An audiotape recording attributed to Osama bin Laden, the fugitive al Qaeda leader, extolled the recent attacks in Bali and Moscow in a bellicose statement that, if authentic, would be the clearest indication in almost a year that bin Laden is alive and determined to pursue his Islamic war on the United States. http://www.washingtonpost.com/wp-dyn/articles/A45816-2002Nov12.html [6] Incident underscores need for space access by Tech. Sgt. Scott Elliott Air Force Print News 11/12/02 - WASHINGTON -- The Air Force's senior space official said a rocket test failure has sounded a warning and underscores the need to apply the resources necessary for assure access to space. The RL-10, designed by Pratt & Whitney in 1958, is an upper-stage engine used in Centaur and Atlas II rockets, as well as the Delta IV rocket scheduled for its first launch Nov. 16. http://www.af.mil/news/Nov2002/111202726.shtml [7] House OKs $903M for Cyber Security Research By Roy Mark The U.S. House of Representatives made the approval of $903 million for cyber security research its first order of business Tuesday, unanimously passing legislation that will create scholarships, grants and research centers at American colleges and universities. The Senate has already approved the legislation, and the bill now goes President George W. Bush, who is expected to sign the measure. The bill, the Cyber Security Research and Development Act (H.R. 3394), more than triples federal spending on security research. Approved on a voice vote, the legislation increases government spending on cyber security research over five years from its current annual level of approximately $60 million to $111 million in 2003 and peaking at $231 million in 2007. http://www.atnewyork.com/news/article.php/1499391 [8] E-tailers opt for Early Warning system By Dinah Greek [13-11-2002] Fraudbusting programme gives e-tailers advance warning of o
[INFOCON] - UNIRAS ALERT - 24/02 - Multiple RemoteVulnerabilities in BIND4 and BIND8
-Original Message- From: UNIRAS (UK Govt CERT) [mailto:uniras@;niscc.gov.uk] Sent: 13 November 2002 09:38 To: [EMAIL PROTECTED] Subject: UNIRAS ALERT - 24/02 - Multiple Remote Vulnerabilities in BIND4 and BIND8 -BEGIN PGP SIGNED MESSAGE- - -- UNIRAS (UK Govt CERT) ALERT Notice - 24/02 dated 13.11.02 Time: 09:45 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre) - -- UNIRAS material is also available from its website at www.uniras.gov.uk and Information about NISCC is available from www.niscc.gov.uk - -- Title = Multiple Remote Vulnerabilities in BIND4 and BIND8 Detail == Internet Security Systems Security Advisory November 12, 2002 Multiple Remote Vulnerabilities in BIND4 and BIND8 Synopsis: ISS X-Force has discovered several serious vulnerabilities in the Berkeley Internet Name Domain Server (BIND). BIND is the most common implementation of the DNS (Domain Name Service) protocol, which is used on the vast majority of DNS servers on the Internet. DNS is a vital Internet protocol that maintains a database of easy-to-remember domain names (host names) and their corresponding numerical IP addresses. Impact: The vulnerabilities described in this advisory affect nearly all currently deployed recursive DNS servers on the Internet. The DNS network is considered a critical component of Internet infrastructure. There is no information implying that these exploits are known to the computer underground, and there are no reports of active attacks. If exploits for these vulnerabilities are developed and made public, they may lead to compromise and DoS attacks against vulnerable DNS servers. Since the vulnerability is widespread, an Internet worm may be developed to propagate by exploiting the flaws in BIND. Widespread attacks against the DNS system may lead to general instability and inaccuracy of DNS data. Affected Versions: BIND SIG Cached RR Overflow Vulnerability BIND 8, versions up to and including 8.3.3-REL BIND 4, versions up to and including 4.9.10-REL BIND OPT DoS BIND 8, versions 8.3.0 up to and including 8.3.3-REL BIND SIG Expiry Time DoS BIND 8, versions up to and including 8.3.3-REL Description: BIND SIG Cached RR Overflow Vulnerability A buffer overflow exists in BIND 4 and 8 that may lead to remote compromise of vulnerable DNS servers. An attacker who controls any authoritative DNS server may cause BIND to cache DNS information within its internal database, if recursion is enabled. Recursion is enabled by default unless explicitly disabled via command line options or in the BIND configuration file. Attackers must either create their own name server that is authoritative for any domain, or compromise any other authoritative server with the same criteria. Cached information is retrieved when requested by a DNS client. There is a flaw in the formation of DNS responses containing SIG resource records (RR) that can lead to buffer overflow and execution of arbitrary code. BIND OPT DoS Recursive BIND 8 servers can be caused to abruptly terminate due to an assertion failure. A client requesting a DNS lookup on a nonexistent sub- domain of a valid domain name may cause BIND 8 to terminate by attaching an OPT resource record with a large UDP payload size. This DoS may also be triggered for queries on domains whose authoritative DNS servers are unreachable. BIND SIG Expiry Time DoS Recursive BIND 8 servers can be caused to abruptly terminate due to a null pointer dereference. An attacker who controls any authoritative name server may cause vulnerable BIND 8 servers to attempt to cache SIG RR elements with invalid expiry times. These are removed from the BIND internal database, but later improperly referenced, leading to a DoS condition. Recommendations: ISS X-Force recommends that system administrators immediately take steps to protect their networks. ISS has made several product updates available to assess vulnerability to this issue as well as protect customers from exploitation attempts. The following ISS updates and product releases address the issues described in this advisory. These updates are available from the ISS Download Center (http://www.iss.net/download): RealSecure Network Sensor XPU 20.7 and XPU 5.6 Internet Scanner XPU 6.20 RealSecure Guard 3.1 ebs RealSecure Sentry 3.1 ebs RealSecure Server Sensor 6.5 SR 3.3 System Scanner SR 3.08 As a workaround for DNS servers that do not need recursive DNS functionality, it is recommended to disable recursion within the BIND configuration file: BIND
