Weekly Newsletter from Help Net Security - Covers weekly roundups of security events that were in the news the past week. In this issue: Building a DHCP server under Linux, :CueCat privacy advisory, Carnovore FAQ, VBS.Disabled.Worm, Detection of unknown viruses, Major vulnerability in Alabanza control panel, E*Trade login/passwords remotely recoverable, Ciscosecure ACS vulnerabilities, Browsegate v2.80 dos, Red Hat Glint symlink vulnerability, Extent RBS directory transversal, exploit using Eudora and the Guninski hole, Wincom LPD dos, DG/UX kdebug daemon remote vulnerability, and more.
51b6b27c22f175737877cc0d9468dcdc77c0ac0cd039baae902daa9a6a126768
New versions of Stacheldraht and Trinity distributed denial of service (DDoS) attack tools have been found in the wild. The new versions of Stacheldraht include Stacheldraht 1.666+antigl+yps and Stacheldraht 1.666+smurf+yps. A variant of the Trinity tool called entitee has also been reported.
bf70582377dd6c20bb49cdd77ca3e0c56492dfd692b6275a785542a9865f27f6
DNSHoe.pl v1.0 is a perl script which looks up hostnames for a range of IP addresses. Good for doing low profile network reconnaissance. Requires NET::DNS perl module.
8ec26f5c8d81342f7b0b163a761ae8c07e21c96033d3c3937f3b27cbed37ebd5
Microsoft Security Bulletin (MS00-069) - Microsoft has released a patch that eliminates the "Simplified Chinese IME State Recognition" vulnerability in Windows 2000 which allows a malicious user with access to either a physical keyboard or a terminal server session to gain LocalSystem privilege, without logging onto the machine. Microsoft FAQ on this issue available here.
e6561dc5d442f32b4b2b9f66505a703d117d83ea92d5675bd658cd94ab2b12e3
Sendmail is a very popular unix Mail Transfer Agent, a program that moves mail from one machine to another.
ae34096c24be271f4b2392de0b8671255ddbdfd32938193760530348d23d0325
BFBTester is a utility for doing quick, proactive security checks of binary programs by performing checks of single and multiple argument command line overflows and environment variable overflows. It will also watch for tempfile creation activity to alert the user of any programs using unsafe tempfile names. While BFBTester can not test all overflows in software, it is useful for detecting initial mistakes that can red flag dangerous software. Tested on FreeBSD and Solaris. Some overflows found with BFBtester are here.
352e56368cecec67fcf3f4d50db5519b0d27e2ca85fdeb5e38df1ce311dfdbf9
Winsniffer is a packet sniffer for the Windows console designed to be effecient and flexible. Screenshot available here. This is a trial version.
2faa11fb3655d3a03324f268eb9e9a99c2ad0d94184b6968ee4ce8417fe1078d
Spade stands for Statistical Packet Anomaly Detection Engine. It is a Snort preprocessor plugin to report and score unusual, possibly suspicious, packets. The anomaly score that is assigned is based on the observed history of the network. The fewer times that a particular kind of packet has occurred in the past, the higher its anomaly score will be. Based on the SPICE Whitepaper.
2d6fa9e406470ef908f831043f095d3795da1bdc0dcb001c6ef8411dfc6f8b38
SPICE Whitepaper - The Stealthy Portscan and Intrusion Correlation Engine is a project at Silicon Defense to detect portscans, even those in which the attacker has attempted to make the scan stealthy. For example, they may have slowed down the scan or randomized it. The basic idea with Spice is to monitor a network's packets. Each packet is assigned an anomaly score based on the normal traffic observed on the network. The higher the score, the more unusual and possibly suspicious the packet it. These are then passed to a correlator which groups related packets together and reports portscans. The correlator is under active development but an implementation of the anomaly sensor called SPADE has been released.
c99f6f93498d742845e7c30fc7a248c8ed4aea75426f04e9ec5ace07517adf05
SIDEN is a distributed network discovery tool which allows you to simulate coordinated/distributed network probes by a group of attackers against one or many target machines. It uses a client/agent architecture where the agents are installed on multiple hosts. Works well on OpenBSD and FreeBSD.
71edb23b755f7de1eaaf2e5199b905da4676113137ff32ee57c6c86680f60d80
Filewatch is a perl script which watches the CTIME of your files and alerts you to any changes.
e9b0b9efd07c128e57f46f40b0b2e0a783de6b4293eef730676aacb551c53e92
The Linux Intrusion Detection System is a patch which enhances the kernel's security. When it's in effect, many system administration operations can be made impossible even for root. You can turn the security protection on or off on the fly and you can hide sensitive processes and prevent anyone from using ptrace or any other capability on your system. LIDS can also provide raw device and I/O access protection.
e275ddc9295a2fddee1e45c565df3832e526ec7cb6b0c378c9aa85ebbb90e5b1
Arping is an arp level ping utility which broadcasts a who-has ARP packet on the network and prints answers. Very useful when you are trying to pick an unused IP for a net that you don't yet have routing to.
976349baa74d7c9985fcc53b8c28077afa403438fcce93e278e32ae3198d6aa6