Monday, August 27, 2007

Daily Highlights

The Department of Homeland Security's Domestic Nuclear Detection Office has announced the graduation of the first class of the Advanced Radiation Detection course, providing state, local, and municipal jurisdictions with skills to detect and investigate the potential malicious use of radioactive or nuclear material. (See item 3)
The Federal Aviation Administration is testing an experimental, satellite−based navigation system called NextGen that hopefully can prevent gridlock in the skies in the coming decades. (See item 11)
Attention DHS Daily Report readers: After five years, the production of the DHS Daily Report is transitioning to a new research team effective for the Tuesday, August 28, edition. The format of the DHS Daily Report will remain the same, but starting at the end of this week, it will be disseminated from a new email address: Please stay tuned over the next few days for an announcement of the activation of the new email address and prepare to adjust your mail filters accordingly. Thank you for your support during this transition.

Information Technology and Telecommunications Sector

27. August 24, InformationWeek — Slammer worm still attacking. Gunter Ollmann, director of security strategy at IBM's Internet Security Systems, said the most common malware attack today is coming from the Slammer worm, which hit in January of 2003. The worm is still working its way around the Internet and within corporate networks, according to Ollmann. And it's still spreading in a big way. And Slammer isn't the only piece of old−time malware that is still wreaking havoc. "The stuff [malware authors] wrote a while ago is still out there and still propagating and still infecting machines," he said. "Some have more infections now than they did when they were headline news. All those old vulnerabilities haven't all gone away." Slammer, the worm that brought many networks down to their knees by attacking Microsoft's SQL Server, is at the top of Ollmann's list of current malware problems. "When we hear about the latest worm and zero−day, Slammer still beats them by a long shot," he added.

28. August 23, U.S. Computer Emergency Readiness Team — US−CERT Technical Cyber Security Alert TA07−235A: Trend Micro ServerProtect Contains Multiple Vulnerabilities. A number of vulnerabilities exist in the Trend Micro ServerProtect antivirus product. These vulnerabilities could allow a remote attacker to completely compromise an affected system. Multiple buffer overflow vulnerabilities and an integer overflow vulnerability have been discovered in the RPC interfaces used by various components in Trend Micro's ServerProtect software package. These vulnerabilities could be exploited by a remote attacker with the ability to supply a specially crafted RPC request to the system running the affected software. Solution: Trend Micro has provided an update for these vulnerabilities in ServerProtect 5.58 for Windows NT/2000/2003 Security Patch 4 − Build 1185. Until the patch can be applied, administrators may wish to block access to the vulnerable software from outside their network perimeters, specifically by blocking access to the ports used by the ServerProtect service (5168/tcp) and the ServerProtect Agent service (3628/tcp). This will limit exposure to attacks; however, attackers within the network perimeter could still exploit the vulnerabilities.
ServerProtect 5.58 for Windows NT/2000/2003 Security Patch 4 − Build 1185:

29. August 23, eWeek — Hackers hit Trend Micro's ServerProtect. Hackers have set their sights on security vendor Trend Micro's ServerProtect. Several security researchers have noted a massive increase of activity over TCP port 5168 connected with ServerProtect, an anti−virus software product for servers that had a number of vulnerabilities publicly disclosed earlier the week of August 20. All of the vulnerabilities, which could lead to remote code execution, have been patched and the security fixes are available to customers. "Various people are abuzz trying to figure out what malware is behind this," Jose Nazario, senior security researcher at Arbor Networks, in Lexington, MA, wrote on a company blog. "At present it seems to be a botnet causing all of the havoc." Officials at Symantec said in an alert Thursday, August 23, that they have observed active exploitation of a Trend Micro ServerProtect vulnerability affecting the ServerProtect service on a DeepSight honey pot and are checking to see what vulnerability had
been targeted. The company advised administrators to block TCP port 5168 at the network boundary or deploy strict IP−based access control lists to hamper hacking attempts.