Iraq still onlineBy Brian McWilliams
Since the U.S. military moved into the "shock and awe" phase of its campaign
early Friday, Web surfers have encountered intermittent problems reaching Uruklink.net,
the Iraq government's main Web site. But those access difficulties are apparently due to a
surge of Internet visitors, along with some untimely technical changes, rather than to
damage from the bombing or a government shutdown. In fact, on Thursday, following the
start of the U.S.-led attack, traffic to Uruklink.net hit a record. According to a counter
at the site's home page, over 14,200 people visited March 20, making it the busiest day at
the site. Uruklink.net currently displays a computer-generated date of March 21, 2003.
Atop the home page are prominent links to streaming video versions of last month's
interview between Hussein and CBS News anchor Dan Rather. The heavy shelling of Baghdad
has apparently not yet affected Iraq's primary e-mail servers, mail.uruklink.net and
mail.warkaa.net. Both systems were still responding to network queries late Friday EST.
The Web site of Iraq's Satellite TV channel was also still online. For reasons not
apparent, the administrators of Iraq's network changed the Internet protocol (IP) address
of Uruklink.net and a couple of the country's other primary Web sites on Thursday.
Meanwhile, one of Iraq's domain name servers -- the systems that route traffic to the
appropriate destination -- appears to be offline. As a result, the Iraqi sites' ability to
handle the increased traffic is hobbled.Internet traffic to and from Iraq's Web sites and
e-mail systems is carried primarily by satellite links provided by Atlanta International Teleport of
Georgia and Satellite Media Services
of England.
Similarly, the home page of Iraq's BabilOnline newspaper, operated by Saddam Hussein's
son Uday, set a traffic record Thursday. A counter on the site's home page racked up over
1,000 visits, twice its average.
http://62.145.94.111/ - Uruklink.net
http://www.babilonline.net/
www.salon.com/tech/feature/2003/03/21/iraq_online
Survey: Security is a people, not technology, problem

A survey released today by the
Computing Technology Industry Association showed that nearly two-thirds of reported
security breaches were primarily the result of human error.Both
industry and government officials stressed the need for more education and certification
of IT professionals, especially in security. But calling for education is one thing and
paying for it is another, the speakers said.
GCN.COM --GCN Daily
++++++++
Homeland Security warns about systems
threats as war looms
The Homeland Security Department today reminded Internet users
to be vigilant for cyberattacks in light of President Bushs ultimatum last night to
Iraqi President Saddam Hussein. The department and other
federal agencies are monitoring the Internet for signs of a potential terrorist
attack, cyberterrorism, hacking and state-sponsored information warfare, a Homeland
Security statement said. Industry and public Internet users are reminded of the
importance of employing sound security practices and reporting unusual activity or
intrusion attempts to DHS or local law enforcement.
www.securityfocus.com/news/3205
www.gcn.com/vol1_no1/daily-updates/21419-1.html
www.fcw.com/fcw/articles/2003/0317/web-home-03-18-03.asp
www.washingtonpost.com/wp-dyn//A46583-2003Mar18.html
www.computerworld.com///story/0,10801,79483,00.html
++++++++
US Army attacked via new Windows flaw
08:43 Tuesday 18th March 2003
Robert Lemos, CNET News.com
Microsoft warned customers on Monday that a security hole in Windows 2000 and the
company's Web server software is allowing online attackers to take control of corporate
servers.
The flaw, known as a buffer overflow, is in a component of the software that handles
the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol in Microsoft's
Internet Information Server (IIS). A specially formatted Web request to the WebDAV
component can overflow the memory allocated to such requests and cause another, malicious
program to be run instead. The technique can be used to take control of the server.
The flaw affects only IIS 5.0 on Windows 2000 servers.
www.msnbc.com/news/886524.asp?0si=-
www.eweek.com/article2/0,3959,938096,00.asp
news.zdnet.co.uk/story/0,,t269-s2132071,00.html
www.fcw.com/fcw/articles/2003/0317/web-hack-03-18-03.asp
microsoft.com/technet/treeview//security/bulletin/MS03-007.asp
Microsoft warns of exploit in Windows 2000, IIS
By Paul Roberts
IDG News Service
WebDAV is a set of extensions to HTTP that allows users to edit and manage files on
remote Web servers.
Attacks could come in the form of malformed WebDAV requests to a machine running IIS
version 5.0. Because WebDAV requests typically use the same port as other Web traffic
(Port 80), attackers would only need to be able to establish a connection with the Web
server to exploit the vulnerability, Microsoft said. Machines running the Windows NT and
Windows XP operating systems are not vulnerable, according to Microsoft.
Adding to the danger of the new vulnerability is the fact that many administrators may
not know that they have the WebDAV serbicve enabled on their ISS server, Hameroff said.
The service is enabled by default on ISS 5, according to Hameroff
www.nwfusion.com/news/2003/0317micropubli.html
++++++++
5 Network Vuln scanners tested
InfoSecurityMag tests these network vulnerability scanners:
Internet Security Systems' Internet Scanner 6.21
eEye Digital Security's Retina 4.9
Symantec's NetRecon 3.5
SAINT's SAINT 4.1
Nessus1.2.6 and NessusWX1.4.2
Read the results and get tips on scanning today's NOS here:
www.infosecuritymag.com/2003/mar/cover.shtml
+++++++++
Tricky Windows worm poses as game
By John Leyden
14/03/2003 at 14:00 GMT
A new email-aware worm, Bibrog-B, poses as a computer game in an
attempt to dupe users.
The worm, which is spreading (modestly) by email and through file sharing networks, is
more subtle and devious than most Windows worms. Its payload contains not just malicious
code but a shooting game too.
When users infect themselves via a virus they might notice something is wrong with their
PC. The game component of Bibrog-B masks its true purposes.
While the shooting game is running, the worm is copying itself across the user's hard
drive and preparing to forward itself to all contacts in the Outlook address book, or via
file-sharing networks.
In a particularly devious twist the worm makes changes to an infected user's Internet
browser so that it can display fake versions of genuine Web sites such as Hotmail,
Citibank, MSN and Yahoo. Security firms believe this is an attempt to steal usernames and
passwords.
"Many people assume a virus that destroys data is as bad as it gets. However, a virus
which can swipe confidential details such as account information is a much greater
potential danger," said Graham Cluley, senior technology consultant for Sophos
Anti-Virus.
The payload of the worm comes in the form of an executable attachment. Blocking such
attachments in email, which have little or no legitimate use, is probably the simplest and
most effective way to guard against Bibrog and other similar viruses
More details of the Bibrog worm are available here.
www.theregister.co.uk/content/56/29768.html
++++++++++
Code Red II Variant on the Prowl 
By Dennis Fisher March 11, 2003
Security experts are watching a new variant of the Code Red II worm that began
appearing on some monitoring networks Tuesday. The worm is nearly identical to its
ancestor, save for a modified drop-dead date that is now several thousand years in the
future. Known as Code Red.F, the worm uses the same infection method as the previous
versions, attacking Web servers running Microsoft Corp.'s IIS software. The worm so far
has infected only a few machines, and because most administrators patched their servers
after the initial Code Red outbreak in 2001, it is unlikely to spread extensively, experts
say. All of the Code Red worms exploit an unchecked buffer in the Index Server in the IIS
software. They then spread by infecting one machine and then scanning a list of random IP
addresses and attempting to connect to port 80.
www.eweek.com/article2/0,3959,924269,00.asp
www.theregister.co.uk/content/56/29724.html
www.nwfusion.com/news/2003/0312newcode.html
www.informationweek.com/story/IWK20030312S0005
++++++++
Windows broadband users targeted by attackers
By David Legard
IDG News Service, 03/12/03
The CERT Coordination Center security organization based at Carnegie Mellon University
said Tuesday it has seen an increase in exploitation of weak administrator passwords on
systems running Microsoft's Windows 2000 or Windows XP operating systems.
Attacks are being particularly - though not exclusively - targeted at home broadband
users running those operating systems, according to CERT/CC. The weakness specifically
refers to nonexistent or easily discovered passwords on Server Message Block (SMB) file
shares, with thousands of systems being compromised in this way, CERT/CC said in an
advisory.
Windows uses the SMB protocol to share files and printer resources with other
computers. The two versions of the operating system referred to in the CERT bulletin
transfer information via TCP/IP. These systems are vulnerable to attacks using tools such
as W32/Deloder, GT-bot, sdbot, and W32/Slackor. Older operating systems which share SMB
information differently are not vulnerable, according to CERT/CC.
According to CERT/CC, attackers who gain access in this way could:
Exercise remote control.
Expose confidential data.
Install other malicious software.
Change or delete files.
Install or support tools for use in distributed denial-of-service attacks
against other computers.
www.cert.org/advisories/CA-2003-08.html
www.nwfusion.com/news/2003/0312windobroad.html
Deloder worm targets weak passwords
By Paul Roberts
IDG News Service
03/10/03
A new worm on the Internet targets computers running the Microsoft Windows operating
system, using easy-to-guess passwords for the Administrator account, according to alerts
posted by a number of antivirus companies. The worm attempts to connect to other
computers on a network through TCP port 445, randomly generating IP addresses to locate
vulnerable machines. Port 445 is used to access shared files on Windows machines with the
Server Message Block protocol. When a vulnerable Windows machine is located, the worm
attempts to log on to the machine's Administrator account by trying 50 likely passwords
such as "admin," "password," "12345," and
"administrator," F-Secure said. If the worm succeeds in breaking the
Administrator account password, it places copies of a backdoor, (trojan) program known as
"inst.exe" in several locations on the infected machine and copies itself as
Dvldr32.exe
www.nwfusion.com/news/2003/0310deloader.html
www.cert.org/current/current_activity.html#W32.Deloder
www.sophos.com/virusinfo/analyses/w32delodera.html
|