| Welcome to the newly named Symantec Security Response Newsletter. Symantec recently announced the merger of it's research and technical support centers into one body, Symantec Security Response. To learn more about Symantec Security Response, please click here to read the press release.
The newsletter has a new name and look to reflect this merger and the publication will now cover Internet security threats, exploits and vulnerabilities as well as viruses, Trojans and worms. We have a added a new section to the Newsletter covering Security Advisories and will add other relevant sections as needed. This month Leigh Costin writes about wireless security issues in an article titled, Drive by Hacking.
To find out about the latest Internet security threats, go to http://securityresponse.symantec.com. Don't worry, if you already have SARC's old URL book marked, it will automatically redirect to the new site.
David Banes.
Editor, securitynews@symantec.com | | |
| Viruses, Worms & Trojans | | W32.BlueCode.Worm | Low [2] | Win32 |
|
At this time, Symantec Security Response has not received any reports of this worm being "in the wild" (actual infections).
W32.BlueCode.Worm is a worm that uses the known IIS Web Directory Traversal exploit. Information and a patch for this exploit are located at http://www.Microsoft.com/technet/security/bulletin/ms00-078.asp. Systems that have been patched are not affected.
http://securityresponse.symantec.com/avcenter/venc/data/w32.bluecode.worm.html
Eric Chien
Symantec Security Response, EMEA | | |
| W32.Apost.Worm@mm | Moderate [3] | Win32 |
|
Symantec has received a substantial number of submissions since September 3, 2001 for this worm, formerly known as W32.Urgent.worm@mm. Therefore, Symantec has upgraded the threat level from 2 to 3. We have added detection since its original discovery and certified defs will be posted on September 4, 2001.
This worm is a Visual Basic Application that arrives as a readme.exe attachment to an e-mail. This worm requires Microsoft Visual Basic Runtime Libraries to replicate.
The body of the e-mail asks you to to review the attachment, but once viewed the worm will activate hook your systems activation routines and then spread itself to all persons in your address book.
http://securityresponse.symantec.com/avcenter/venc/data/w32.apost.worm@mm.html
Atli Gudmundsson
Symantec Security Response, EMEA | | |
| W32.Magistr.39921@mm | Moderate [3] | Win32 |
|
Due to an increased number of submissions, Symantec has upgraded this virus to a Category 3 rating on 9/6/2001.
Here is a list of the additional features and behavioral differences between W32.Magistr.39921@mm and W32.Magistr.24876@mm: - Aware of Eudora address books (listed in eudora.ini.)
- Deletes *.NTZ while searching for files.
- Terminates ZoneAlarm before connecting to the Internet.
- Adds entry in the Shell=explore.exe entry in the Boot section of system.ini calling the W32.Magistr.Trojan.
- Searches for more "Windows" directories (WINNT, WINDOWS, WIN95, WIN98, WINME, WIN2000, WIN2K, WINXP.)
- Mail attachment has a random extension (exe, bat, pif, com.)
- Occasionally attaches .gifs to emails.
- W32.Magistr.Trojan payload overwrites ntldr and win.com on all drives with code to store garbage in the first sector of the first IDE hard disk.
http://securityresponse.symantec.com/avcenter/venc/data/w32.magistr.39921@mm.html
Peter Ferrie
Symantec Security Response, APAC | | |
Trojan.Zeraf is a destructive Trojan horse that deletes critical system files. If it has executed, you will no longer be able to run Windows.
This Trojan is programmed in Delphi and distributed as a UPX-packed, self-extracting RAR archive. (UPX is a runtime compressor for Windows executable files).
When the Trojan is run, it inserts the actual Trojan executable on the hard disk as C:\Zeraful\Zeraful.exe and then executes that file.
While counting to 100%, the destructive payload activates. It attempts to delete files including many from the Windows directory, for more information read the full description on our web site.
http://securityresponse.symantec.com/avcenter/venc/data/Trojan.zeraf.html
Andre Post
Symantec Security Response, EMEA | | |
| | Security Advisories | This new section of the Security Response Newsletter will contain current and newly discovered security advisories. | | |
| | Enterprise Security News Clips | | | Vulnerability & Exploit News | | Drive by hacking - How secure is Wireless Networking? | | |
|
In a recent story hackers are reputed to have driven by the corporate headquarters of a major supplier of wireless networking equipment and connected to the network using a laptop and a PCMCIA Wireless card. No real claims of what was accessed or stolen were made or verified.
There has been much discussion about the level of security offered by the Wireless Networking standard 802.11b also known as Wi-Fi. Most has centered on the encryption standard used and how it is implemented.
How does this affect the real world usage of Wi-Fi technology?
The three key areas of Wi-Fi usage are:
Home use; where a small home network or 2-5 systems are connected to share expensive resources such as high speed Internet access, or servers or printers.
Small business; where premises might be temporary, or the location might be too expensive to cable up.
Corporate use; where Wi-Fi is an extension of the main corporate network into work areas that are difficult or impractical to cable. Often used where mobility is required, such as in hospital wards and warehouses.
Looking at each scenario from the viewpoint of risk, what is at risk for each user? For the home user, your neighbour could connect to your home wireless network and hijack your cable connection, but it is extremely unlikely. They may get access to shared files and data, but that would depend on the level of security you have, and the systems you use. The lower level of Microsoft networking that is likely to be used, for example, Windows 98 file sharing, makes this a possibility if a remote one. Overall the level of risk can be assumed to be low to moderate.
Small business, on the other hand, could have a range of networks from the Windows 98 file sharing level up to Windows NT/2000 or Novell NetWare. The more secure the server operating system is the less risk of data being stolen, provided the data is stored on the server. If the Wi-Fi is compromised, what could be introduced to the network are the various Trojans and viruses that are prevalent on the Internet. In this case the impact would be the same as unregulated access to the Internet.
The degree of risk is similar to having no firewall, and not patching vulnerable systems, something that small business struggles to implement and manage. For this level of business, the degree of risk can be rated as moderate.
If, however, you have something that someone really wants to steal, and they are likely to know where you are, then the risk should be rated as high.
Use of Wi-Fi in major corporations provides an additional level of risk. If compromised, then the attacker has achieved one of the key levels of penetration of the network. They are now through the firewall, an entity on the LAN, and have the ability to test the more fundamental aspects of the corporate IT security. Systems with vulnerabilities that aren't patched, passwords and logins that are too obvious, applications that send passwords in clear text all provide means to elevate their access rights. The IT and security personnel would now be relying on their Intrusion Detection systems to be able to defend or trace any hostile actions by an intruder inside the network. The risk associated with all this should be rated as high, to extremely high.
So how do we minimise the risk associated with Wi-Fi?
The first risk to look at is: Do You Care? In the home user scenario, history shows that not a lot of people understand that their privacy is at risk. If a secure system costs more, or is harder to setup, fewer home users will implement it. After all, I don't keep anything really secret on my home computer, right?
The next risk is in the level of technology used. Wi-Fi can use encryption to secure all traffic from the client to the base station, this forms part of the Wired Equivalent Privacy, or WEP standard. The base station can be configured to use an authentication key that is stored and transmitted when a client wants to connect to it. The base station can also be configured to only accept connections from a set range of IP addresses. The initial round of Wi-Fi products used what is now deemed to be low level encryption of 40 bits in length. In the current technology level, this can be broken by a single computer in a relatively short period of time - minutes in fact. In addition, fixed keys were used by some early Wi-Fi solutions; so that one if someone bought an identical card they could gain access to the network of someone else.
The current Wi-Fi offerings use a higher level of encryption based on 128 bit key length, and planned future solutions are offering higher levels. This broadens the options for the security conscious Wi-Fi buyer.
For corporate users, the option of using Virtual Private Networking should be considered. This would provide a strong encryption tunnel over the Wi-Fi connection, securing the traffic from external analysis. A personal firewall would provide additional security for the client operating system. The network should also be enhanced by adding a firewall between the wireless network and the corporate LAN.
The third risk is the use of default settings for anything associated with Wi-Fi. All the products have default settings, and using them exposes the network to compromise. With current offerings, the ability to change the authentication key is not always easy and this leads to users choosing the defaults. It would require the attacker to know what hardware was being used by the target network, but this is not impossible to find out, the list of defaults can be guaranteed to be posted on a web site somewhere, and the attacker could troll through a list until they get a suitable response.
Is Wi-Fi a viable solution for use in the home and in business?
The answer is yes, but.
The Wi-Fi user needs to be aware of the security options offered for the solutions they choose. They need to avoid using default settings for authentication keys, and IP address ranges. Corporate users need to be setup to use additional security applications such as Personal Firewalls and VPNs if this is at all practical. All Wi-Fi users need to keep strict control of the client interface card, particularly PCMCIA cards for laptops. Once they are lost, the network can be assumed to be compromised, as the card holds most, if not all, the information necessary to gain access to the Wi-Fi network.
Wi-Fi is a very useful technology for a large number of portable network solutions. Its convenience out-weighs its risks to many users. But let's not forget to maintain the level of security appropriate for the functions we run over the network.
Best Practices for Wi-Fi LANs
· Avoid using the default settings, particularly for authentication
· Install a personal firewall on all Wi-Fi clients
· Use Virtual Private Network solutions [IPSec standard] or SSH for Corporate implementations on top of Wi-Fi and in preference to WEP.
· Isolate the Wi-Fi network by placing a firewall between it and the corporate network
· Treat Wi-Fi interface cards as security devices, particularly any PCMCIA units.
Leigh Costin
Product Manager
Enterprise Security Appliances
Symantec Asia Pacific. | | |
| | |
|