Security Supplement.Erap Virus Suspect Arrested in Philippines Reports from the Philippines indicate that a 19 year old male youth has been questioned by the authorities about the so-called "Erap Estrada" worm. The youth, who has not been named, was arrested on October 22 by agents of the National Bureau of Investigation (NBI NBI Niels Bohr Institute (Denmark) NBI National Bureau of Investigation NBI Nile Basin Initiative (Uganda) NBI National Bridge Inventory NBI Nation Brands Index (statistics) ) at his house in Laguna. Floppy disks and other computer equipment were seized by the Anti-Fraud and Computer Crimes division of the NBI. The man was later released pending further investigation. The Erap Estrada worm is a back door Trojan which uses the nickname of the Filipino President, Joseph Estrada  This page is currently protected from editing until (UTC) or until disputes have been resolved. , as its subject line. It
sparked a scare in September but poses little risk to users who have
kept their anti-virus software anti-virus software n → Antivirensoftware f up-to-date.
www.sophos.com Top Ten Viruses Reported to Sophos in October 2000 This is the latest in a series of monthly charts counting down the ten most frequently occurring viruses as compiled by Sophos, specialists in anti-virus protection. For October 2000, the list is as follows, with the most frequently occurring virus at number one: 1.0 W32/Apology-B 2.0 VBS/LoveLet-AS 3.0 VBS/Kakworm 4.0 W32/Qaz 5.0 XM97/Jini-B 6.0 VBS/LoveLet-G 7.0 WM97/Marker-C 8.0 W32/Pretty 9.0 W32/Flcss 10.0 WM97/Thurs-T "The most commonly encountered virus in October features a cunning trick,' said Graham Cluley Graham Cluley is a British computer programmer and 'Senior Technology Consultant' at Sophos. He is very well known in the anti-virus industry, and his corporate biography[1] , of Sophos Anti-Virus Sophos Anti-Virus is an anti-virus, anti-spyware and HIPS software program by Sophos plc, which is aimed primarily at corporate environments. Centralised management is performed via Sophos Enterprise Console. It is believed to be the Anti-Virus used by Gmail[1]. . `The W32/Apology virus stops infected users from reaching the websites of many anti-virus vendors, preventing them from downloading protection." October witnessed one of the most high profile hacks ever when Microsoft revealed that its corporate computer network had been penetrated. The hackers are believed to have used the Qaz worm, which features at number 4 in this month's top ten. For more information about W32/ Apology-B visit http://www.sophos.com/ virusinfolanalyses/w32apologyb.html, about Qaz visit http://sophos.com/ virusinfolanalyses/trojqaz.html. Information Warfare Also called "cyberterrorism," it refers to creating havoc by disrupting the computers that manage stock exchanges, power grids, air traffic control and telecommunications. While the term often deals with attacks against a nation, it may also refer to attacks on organizations and the Techniques on the Increase Entegrity Solutions says that the recently publicised Infowar See information warfare. attack on Microsoft's corporate network illustrates that Information Warfare (IW) is being practiced against corporations that increasingly store their intellectual property and assets on corporate information systems. New techniques threaten data integrity even when the target and adversary are not online at the same time. Historically, IW attacks have assumed that the adversary and target are online at the same time, allowing the adversary to "surf" the target and compromise its data. The new "Bunratty" attack, demonstrated at Compsec 2000, uses email to compromise sensitive data on a target without the knowledge of the legitimate data owners. The use of covert email represents a new dimension in IW, making necessary a whole new series of intrusion detection See IDS and IPS. measures. www.entegrity.com The Risk of Computer Virus infection in Companies Continues to Get Worse According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the conclusions of the just released 6th Annual Computer Virus Prevalence Survey, despite apparent improved awareness and implementation of security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security , the risk of virus infection in a corporate environment, far from decreasing, has once again doubled over the last year, raising virus incident costs further. The report, released by the ICSA See TruSecure. Labs (a division of ICSA.net) and sponsored by Panda Software, among other companies, was based on a survey of U.S. companies and organizations with more than 500 PCs, 2 or more LANs with at least 2 remote connections. Between January 1999 and February 2000, 99.67% of the 300 organizations that took part in the survey reported having experienced at least one "encounter" (virus detected before it spreads) with malicious codes in their computers. In total, the same group reported some 303,356 encounters in their 855,889 computers throughout 1998, 1999 and the beginning of 2000. This figure represents an average of 160 cases per year (14 per month) for every 1,000 computers. Since 1996 there has been an annual increase on the order of 22 incidents per month. A relentless increase is also noticeable on the number of respondents reporting infections via attached e-mail files (up to 87% as opposed to 56% in the previous year). On the other hand, attacks via floppy disk and classic boot sector Reserved sectors on disk that are used to load the operating system. On startup, the computer looks for the master boot record (MBR) or something similarly named, which is typically the first sector in the first partition of the disk. viruses have virtually disappeared. This is due to the enormous increase in new communication networks and the gradual phasing out of the use of floppy disks. The authors of the study point out however, that it could also be due to the fact that these kinds of viruses are sufficiently controlled nowadays. Devastating dev·as·tate tr.v. dev·as·tat·ed, dev·as·tat·ing, dev·as·tates 1. To lay waste; destroy. 2. To overwhelm; confound; stun: was devastated by the rude remark. effects The report identifies the following economic consequences inflicted upon infected companies as a result. No less than 51% of the entities involved in the survey admitted having suffered a `disaster' (defined as a virus infection of more than 25 computers at the same time) in comparison with 43% last year. As a consequence of this, the number of cases resolved in less than an hour has fallen dramatically, from 91% in the last survey to 36% in the current one. The average time that systems are inactive is reported as 21 hours and in some cases, systems have been down for more than 1,000 hours. The average recovery time for these systems was 7 days/person, which caused an average of $120,000 in estimated direct costs. The damage is not restricted to just a drastic loss of production (70% of respondents) but also, as people are beginning to notice, it is extending to other kinds of disruptions including damage to files (66%), unusable workstations (50%) and information access problems (49%). Causes and Solutions The problem lies not so much in a lack of awareness amongst administrators about the dangers of viruses but, as the survey indicates, in the incorrect or insufficient use of available security tools (70% of Desktops, 91% Of servers, 45% of proxy devices and firewalls and 80% Of email gateways have permanent antivirus protection.) Recommended precautions include: Generic virus protection at the desktop and email gateway level...... Heuristic A method of problem solving using exploration and trial and error methods. Heuristic program design provides a framework for solving the problem in contrast with a fixed set of rules (algorithmic) that cannot vary. 1. antivirus technology, which alerts users on detection of behaviour typical of viruses, although this may sometimes cause false alarms........ The use of Alert Services which immediately warn clients of the outbreak of new malicious code and offer quick updates of antivirus products to prevent infection. www.pandasoftware.com UniCERT KeySteps Cuts Cost of PKI (Public Key Infrastructure) A framework for creating a secure method for exchanging information based on public key cryptography. The foundation of a PKI is the certificate authority (CA), which issues digital certificates that authenticate the identity of by 50% Baltimore Technologies' UniCERT KeySteps, an e-security infrastructure implementation methodology can, it is claimed, enable cost reductions and time savings of up to 50%. Like all infrastructure products, implementing an operational PKI involves a significant level of design and business process engineering. UniCERT KeySteps consists of a series of steps backed by a comprehensive set of documentation templates and checklists that can save businesses up to 50% of service costs. Baltimore KeySteps is a structured methodology that enables organisations, consultants and systems integrators to implement large and small- scale e-security solutions. It provides a step-by-step guide taking the user through the necessary phases of a PKI (Public Key Infrastructure) implementation project from initial conception and business case to post implementation operation and support. UniCERT KeySteps separates the activities needed to implement a PKI into discrete phases or `KeySteps'. The `products' or deliverables for each key step are identified, and proven project management methods are used to ensure the delivery of these on time and to budget. At each KeyStep the methodology provides templates for the products, plans, checklists and training material. www.baltimore.com/unicertkeysteps Danes defend against Echelon A Scandinavian security company claims that using European technology is the only way to guarantee that sensitive information is not intercepted by Echelon, a network of spying stations in the UK and Greenland, set up in the cold war, to eavesdrop eaves·drop intr.v. eaves·dropped, eaves·drop·ping, eaves·drops To listen secretly to the private conversation of others. on military communications Military communications, or Signals, is a field of military activities, tactics and equipment dealing with communications. First of all, military communications are battlefield (combat) communications, including intercommunication with a higher command or country's between Eastern bloc During the Cold War, the term Eastern Bloc (or Soviet Bloc) was used to refer to the Soviet Union and its allies in Central and Eastern Europe (Bulgaria, Czechoslovakia, East Germany, Hungary, Poland, Romania, and—until the early 1960s—Albania). countries. The French, Danish and European Parliaments are currently investigating claims that the Americans are now using the satellites to facilitate industrial espionage industrial espionage Acquisition of trade secrets from business competitors. Industrial spying is a reaction to the efforts of many businesses to keep secret their designs, formulas, manufacturing processes, research, and future plans. against European competitors. Danish Internet connectivity specialist, LASAT Networks, claims that it is one of only a few European companies It may never be fully completed or, depending on its its nature, it may be that it can never be completed. However, new and revised entries in the list are always welcome. This is a list of companies from the countries in the European Union. to have developed hardware-based security solutions with no US involvement. www.lasat.com Sonic: another self-updating Internet - worm `in the wild' Kaspersky Lab Kaspersky Lab is a computer security company, co-founded by Natalia Kaspersky and Eugene Kaspersky in 1997, offering antivirus, anti-spyware, anti-spam, and anti-intrusion products. , is warning users of the discovery of a new interact-worm, Sonic, discovered in France and Germany on the morning of 30th October 2000. The distinctive feature of this malicious program is its ability to update itself (ie: to automatically download additional component functionality) via the Internet. The worm consists of two parts -the loader and the main module. Copies of the loader are being distributed across the Internet by e-mail. Once the virus penetrates into the PC's operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. it then initiates the connection to the hacker's site on "Geocities', a popular resource for free home pages. From here Sonic tries to illegally download the main module and install it on the infected PC. The procedure for downloading the main module has been built in such a way that the worm's author can define its content. This procedure is performed in the following steps: 1) The worm connects to the hacker's site 2) It downloads the file LASTVERSION. TXT TXT Text TXT Text File (filename extension) TXT Textile TXT Teletext TXT Tecnologia per a Tothom TXT Textron Corporation (stock symbol) , containing the version number of the worm's main module available on the site 3) If the infected computer has no main module installed or the version on the site is higher, then two files are downloaded from the site: nn.Zip (where Inn' - the number of the current main module's version) and GATEWAY.ZIP (the latest version of the loader) The main purpose of the main module is unauthorised data capture, tracking all the users' activities and gaining remote control over the infected computer (backdoor See trapdoor. functionality). Kaspersky Lab believes that the worm author can easily change the main module's payload, with possibly much more dangerous and destructive content. After the main module is installed, the worm secretly gains access to the Windows address book (WAB WAB Windows Address Book (file extension for Microsoft Outlook and Exchange) WAB Western Academy of Beijing WAB Westinghouse Air Brake Technologies Corp. ), extracts e-mail addresses available there and sends out infected messages, containing copies of the worm's loader, to all of the encountered recipients. In the worm's known versions the infected messages have the following details: Subject: Choose your poison Attachment: GIRLS.EXE Exe (ĕks), river, c.55 mi (90 km) long, rising in the Exmoor, Somerset, SW England, and flowing S across the Cornwall peninsula, past Exeter to the English Channel at Exmouth. . `This is not the first case when we have discovered a malicious code with self-updating ability via the Internet. Before `Sonic', the Babylonia virus and the Resume worm had the same capabilities," said Denis Denis, king of Portugal: see Diniz. Zenkin, Head of Corporate Communications Corporate communications is the process of facilitating information and knowledge exchanges with internal and key external groups and individuals that have a direct relationship with an enterprise. for Kaspersky Lab. however this is not something that catches our attention at the moment. What is more disturbing is that this feature appears to have become a new standard for malicious programs, since more and more of them can update themselves via the Internet. This is a very dangerous trend as it allows hackers to extend their malware's abilities in real-time with direct connection to the infected computers". Further details on the `Sonic' worm are available at Kasperskyls Virus Encyclopedia (www.viruslist.com). Protection against this worm has already been added to the daily update of AntiViral antiviral /an·ti·vi·ral/ (-vi´ral) destroying viruses or suppressing their replication, or an agent that so acts. an·ti·vi·ral adj. Toolkit Pro (AVP AVP arginine vasopressin. ). Internet Authentification Service An Authentication Service Provider has been launched, dedicated to helping companies eliminate vulnerable passwords from e-business systems. Signify the provider estimates that over 90% of organisations still rely on standard passwords for the protection of their business-critical information systems. Passwords are vulnerable to many types of attack including shoulder surfing Shoulder surfing may refer to one of two things:
(2) (Rivest-Shamir-Adleman) A highly secure cryptography method by RSA Security, Inc., Bedford, MA (www.rsa.com), a division of EMC Corporation since 2006. It uses a two-part key. SecurlD, the token-based technology from RSA Security RSA, The Security Division of EMC Corporation, is headquartered in Bedford, Massachusetts, and maintains offices in Ireland, the United Kingdom, Singapore, India, and Japan. RSA organizes the annual RSA conference. Inc. The company is delivering SecurlD as a managed online service for a per-user monthly fee. www.signify.net File & Storage Administrator 2.0 File and Storage Administrator from NetIQ utilises Directory and Resource Administrator's Active View technology and provides the tools needed to simplify and track file, directory, share and service account management for Windows NT (Windows New Technology) A 32-bit operating system from Microsoft for Intel x86 CPUs. NT is the core technology in Windows 2000 and Windows XP (see Windows). Available in separate client and server versions, it includes built-in networking and preemptive multitasking. , and Windows 2000-based servers, throughout an enterprise. It allows IT administrators to delegate management of permissions over NT file systems, shares and Windows 2000's built-in disk quotas, which enables IT administrators to safely grant file and share permission management to non-administrative personnel. This new feature, also enables administrators to not only control what permissions are given out over a set of files, but also whose permissions can be changed by the administrative delegate. The product allows administrators to assess, audit, lock, analyse and correct potential file security threats and take immediate action to prevent security breaches. Permission management and auditing maximises file security by identifying potential file security problems and allowing fast modification of permissions gross the Windows NT and Windows 2000 enterprise. Additional new features include: * An advanced, massively parallel reporting engine that allows IT administrators to take actions against the reporting results. For example, one could use the engine to find and delete specified types of files, such as mp3 files, throughout a set of servers. * Upgraded permission reporting provides quick location of who has permissions where, and strengthens the ability to back up NTFS (NT File System) An optional file system for Windows NT, 2000 and XP operating systems. NTFS is the more advanced file system, compared to FAT32. It improves performance and is required in order to implement numerous security and administrative features in the OS. permissions so that they can be easily restored to rollback unwanted permissions changes. Reports also include all files and permissions, location of all files a user or group has access to, and file distribution by time since created, last modified and last accessed. On-demand reports for auditing, capacity planning, trend analysis, impact analysis, resource allocation resource allocation Managed care The constellation of activities and decisions which form the basis for prioritizing health care needs to increase file server performance. www.netiq.com SUNRISE 4.2 Disaster Recovery SUNRISE- 4.2, the new release of the automated tracking and recovery software solution for System/390 allows the priority recovery of applications such as those supporting e-business systems. One of the major enhancements is the SUNVIEW SunView - A windowing system from Sun Microsystems, superseded by NeWS. PC-based option, which provides via a graphical user interface graphical user interface (GUI) Computer display format that allows the user to select commands, call up files, start programs, and do other routine tasks by using a mouse to point to pictorial symbols (icons) or lists of menu choices on the screen as opposed to having to , views of job and dataset history and activity. A timeline bar representing each dataset in the cycle provides colour-coded displays of recoverability status at each point, aiding users in recovering applications. The SUNVIEW option also incorporates an interactive tool for modelling or creating "what if" backup scenarios to optimise systems. The value of the graphical representation is that it allows a user to see which files are exposed at what times, and to understand the key dependencies. Visualisation can, it is claimed, ensure that critical things are not overlooked in a disaster recovery plan. www.amdahl.com/software Simultaneous activity of several dangerous Internet-worms detected Kaspersky Lab has been receiving reports from users, whose computers have been infected by the Interact-worm Hybris hy·bris n. Variant of hubris. . Recently, Kaspersky Lab informed users of this worm's danger, and we reiterate that this virus is a very complex malicious code that can be updated by its author through his own Web page or through an anti--virus conference altcomp.virus, which is already replete with this virus' components. Also still active is an Internet--worm called Navidad, and although it is fairly harmless, it still causes users trouble. The infected e-mail contains an embedded file and the following message in Spanish: "Nunca presionar este boton" (never click on this button). By clicking on this button, a user causes himself headaches, because on the screen appears a dialogue box that tells the user he has lost his computer due to his curiosity. However, in reality, this malicious code is easily deleted. The first reports about the Internet-worm Music arrived at Kaspersky Lab, who estimate that this worm has all the chances of becoming an epidemic. An entertaining payload hiding the worm's main activity accompanies this virus, displaying a Christmas scene and playing a carol. Music--worm contains the following Subject and Texts: Subject: Testing to send file Text: Hi, just testing email using Merry Christmas music file, not bad music. or: Text: Hi, just testing email using Merry Christmas music file, you'll like it. "Music" has the ability to upgrade its components from an Internet site. This malicious utility downloads three files from there (that are supposed to be its plugins) detects their versions, and if these versions are above those currently used, the worm replaces its components with new ones. So the worm is able to change its functionality depending on its author's needs. www.kaspersky.com To submit Editorial Contact: Database and Network Journal Editors E-mail: 106142.1713@compuserve.com |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion