Monday, July 8, 2002

Internet Attacks Reported on the Rise About 70 percent of all power and energy companies worldwide were hit by at least one severe Internet attack in the past six months -- an increase of 13 percent over the previous six months, according to a report released today. The Internet Security Threat Report, written by Riptech Inc., an Alexandria-based Internet-security firm, said some of the attacks originated in countries on the Department of Homeland Security's Cyber-terrorism Watch List, but it was not clear whether crucial services here or abroad were being targeted by terrorist groups. [NewsFactor Cybercrime & Security] 22:33 # G!

FreeBSD Scalper worm, a bad precedent... The recent Apache "scalper" worm, targeting FreeBSD systems, represents a dangerous precedent, even if it is a rather ineffective worm: it linearly scans randomly selected class Bs, it doesn't employ a very good scanner, and it can only infect a few types of machines (Apache 1.3.20, .22-24 running on FreeBSD). It was roughly 10 days between when Gobbles Security released an exploit for the recent Apache vulnerability (in response to ISS's statement two days earlier, announcing the vulnerability and stating that it was only exploitable on win32 and some 64 bit platforms) that the worm was seen in the wild. This compared with several months for Code Red and Nimda, between vulnerability disclosure and appearance of a worm. We can expect this time to reduce to nearly 0 in the future, as worm authors prepare worms in advance, or borrow existing worm code, and simply drop in exploits as they are published. As we have already seen mail worm toolkits, we can expect similar active scanning worm toolkits. This means that the window of vulnerability between when an exploit or flaw is published, and when it is actively exploited, will quickly reduce to zero. As important, this worm contained a controllable DOS and backdoor module, something directly useful to a blackhat, as did the Goner mail worm. The blackhat community has realized that worms are a great way to compromise machines with little effort and little risk. My personal, somewhat hazy crystal ball: Over the next year, we will see a lot of "1 day" worms, where shortly after an exploit is published, a corresponding worm will be released. These worms will almost invariably carry DDoS, credit card searchers, or similar payloads optimized for blackhat goals. We probably will see toolkits! We will also start to see worms appearing less than 2-3 days after a detailed vulnerability is reported, as slightly more sophisticated blackhats create an exploit, drop it into existing frameworks, and release worms. Be Afraid (tm). Scalper Worm code and first detection was at http://www.dammit.lt/apache-worm/ Nicholas C. Weaver ["Nicholas C. Weaver" via risks-digest Volume 22, Issue 15] 22:31 # G!

The Clouds of Digital War Many security experts fear that the next big terrorist strike against the United States might be on ÷ and through ÷ the Internet and other vital interconnected computer networks. And the suspected attacks won't just deny Net surfers access to their favorite Web site or increase the risk of damaging computer viruses through e-mail. Rather, experts say the next cyber attack could actually lead to physical damage to real-world targets. [ABCnews] 16:25 # G!

X marks the spot for hackers Strange chalked symbols have begun to appear among the graffiti sprayed on the walls of Melbourne's city buildings. They are the marks of the "war chalkers" - computer hackers who roam the streets with radio-equipped notebook computers, trying to find open or unguarded wireless computer networks they can penetrate. [The Age] 16:00 # G!