From proff Thu May 23 14:25:43 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id OAA26299 for best-of-security; Thu, 23 May 1996 14:25:43 +1000 Received: from why.cert.org (why.cert.org [192.88.210.60]) by suburbia.net (8.7.4/Proff-950810) with SMTP id HAA10805 for ; Thu, 23 May 1996 07:40:11 +1000 Received: (from cert-advisory@localhost) by why.cert.org (8.6.12/CERT-ecd.1) id QAA02312 for cert-advisory-queue-4; Wed, 22 May 1996 16:49:01 -0400 Date: Wed, 22 May 1996 16:49:01 -0400 Message-Id: <199605222049.QAA02312@why.cert.org> From: CERT Advisory To: cert-advisory@cert.org Subject: CERT Summary CS-96.03 Reply-To: cert-advisory-request@cert.org Organization: CERT(sm) Coordination Center - +1 412-268-7090 Sender: proff -----BEGIN PGP SIGNED MESSAGE----- - --------------------------------------------------------------------------- CERT(sm) Summary CS-96.03 May 22, 1996 The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our Incident Response Team. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org/pub/ Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries/ We have changed the way we sign CERT publications. Before May 20, 1996, we put our PGP signature in a separate .asc file, which was available for anonymous FTP. As of May 20, 1996, the CERT PGP signature is in the document itself. CS-96.03 (this summary), VB-96.06, and VB-96.07 are signed this way. The first advisory to be signed this way will be CA-96.10, which has not yet been released. In addition, we have removed the .asc files from past publications and re-signed them in the text. You can get the CERT public key from PGP Public Key Servers and from ftp://info.cert.org/pub/CERT_PGP.key - --------------------------------------------------------------------------- Recent Activity - --------------- Since the March CERT Summary, we have seen these continuing trends in incidents reported to us. 1. Password files and cracking We have seen an increase in incidents in which intruders obtain password files from sites and then try to compromise accounts by cracking passwords. Once intruders gain access to a user account, they attempt to gain root access through a cracked root password or by exploiting another vulnerability. These incidents point to the need for system administrators to address three areas: - Protect your password file so an intruder cannot obtain a copy of it. - Ensure that good passwords are selected so that they cannot easily be cracked, or use a technology where passwords are not located in the password file. - Ensure that you are up to date with security patches and workarounds and watch for unusual activity. To learn more about these problems, see the following file: ftp://info.cert.org/pub/tech_tips/passwd_file_protection 2. Linux machines We have seen an increase in break-ins and root compromises of Linux machines. In some cases, the intruders are installing packet sniffers on Linux machines. If you are use Linux on your machines, we recommend that you keep up to date with patches and security workarounds. We also recommend that you review ftp://info.cert.org/pub/cert_advisories/CA-94:01.ongoing.network.monitoring.attacks ftp://info.cert.org/pub/cert_advisories/CA-94:01.README The advisory describes sniffers and suggests approaches for addressing the problem; the README file contains updated information. We also recommend that you monitor the Linux newsgroups and mailing lists for security patches and workarounds. Additionally, a World Wide Web page that some sites reference is http://bach.cis.temple.edu/linux/linux-security Note that this reference should not be construed as a formal endorsement of the page or its contents. We are simply including it in this summary so that our readers are aware of its existence; you may evaluate it as appropriate to your situation. 3. Machines being probed to find known vulnerabilities We continue to get reports of machines being probed for known vulnerabilities. In many cases, these sites did not have up-to-date security patches and the machines were compromised at the root level. In some cases, the intruders are using the Internet Security Scanner (ISS). These intruders frequently use ISS on a large range of IP addresses and then use the information collected to compromise vulnerable computers. So that you can determine if your machines are vulnerable to the problems that ISS examines, you may wish to run ISS against your own site (in accordance with your organization's policies and procedures). ISS is available from ftp://info.cert.org/pub/tools/iss/iss13.tar We also encourage you to take relevant steps discussed in these documents: ftp://info.cert.org/pub/cert_advisories/CA-93:14.Internet.Security.Scanner ftp://info.cert.org/pub/cert_advisories/CA-93:14.README ftp://info.cert.org/pub/tech_tips/security_info ftp://info.cert.org/pub/tech_tips/packet_filtering 4. Mail spoofing and mail bombing We have seen a large increase in the number of reports concerning email spoofing, bombing, and spamming. To learn more about dealing with these issues, see the files: ftp://info.cert.org/pub/tech_tips/email_bombing_spamming ftp://info.cert.org/pub/tech_tips/email_spoofing What's New in the CERT FTP Archive - ---------------------------------- We have made the following changes since the last CERT Summary (March 26, 1996). * New Additions ftp://info.cert.org/pub/cert_advisories/ CA-96.07.java_bytecode_verifier CA-96.08.pcnfsd CA-96.09.rpc.statd ftp://info.cert.org/pub/cert_bulletins/ VB-96.05.dec VB-96.06.freebsd VB-96.07.freebsd ftp://info.cert.org/pub/tech_tips root_compromise anonymous_ftp_abuses email_bombing_spamming email_spoofing passwd_file_protection * Updated Files ftp://info.cert.org/pub/cert_advisories/ CA-94:04.README CA-94:09.README CA-95:01.README (added a pointer to Argus) CA-95:13.README CA-96.02.README CA-96.06.README (added info from another response team) CA-96.07.README (added a pointer to Netscape 2.02) CA-96.08.README (updated fix info that was in the original Appendix B) CA-96.09.README (added info from TGV/Cisco, a workaround for SunOS 4.s, and a clarification) CA-96.13.README (added info from the Santa Cruz Operation) ftp://info.cert.org/pub/tech_tips anonymous_ftp_config (file name changed) ftp://info.cert.org/pub/tools /ValidateHostname (replaced older version of IsValid.c and updated the README) ftp://info.cert.org/pub/vendors /sgi/SGI_contact_info (added URL for SGI Security Web pages) Keeping Current - --------------- Often during the couse of our work, we learn about software upgrades that fix security problems. In a new section of our FTP archive we list these upgrades, their sources, and their MD5 checksums. ftp://info.cert.org/pub/latest_sw_versions/ If you use any of the software listed in this directory, we recommend that you upgrade to the current versions. Among other changes, these new versions address security weaknesses present in previous versions. If you have any questions about the software listed in this directory, please contact the vendor for more information. - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT advisories and bulletins are posted on the USENET news group comp.security.announce CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key - --------------------------------------------------------------------------- Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and credit is given to the CERT Coordination Center. CERT is a service mark of Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaN5L3VP+x0t4w7BAQFHVAQA0cqOEOjnHx6CaFEQMZGOja1o9wZyFEz8 cQNz4m4AHAtkEzTkCNjptyWTiUo0PM7Vq2H9EFHGRXB65ZZQkAoVb0vro0a1DrHi MZDEqwk+YBPAYP54wutr5XFNnWwALe9zYqhaZLEFVjSrEiAacvY5m7c+A0TMMH62 9pHI76G4wf0= =+Ds2 -----END PGP SIGNATURE-----