Educause Security Discussion mailing list archives
Items of possible interest...
From: "Bruhn, Mark S." <mbruhn () INDIANA EDU>
Date: Thu, 3 Apr 2003 16:59:08 -0500
Some things below, received by the REN-ISAC, that could be of interest to your campuses. (By the way, the information in the media summaries at the bottom are from NIPC (now IAIP of DHS) information products that anyone can subscribe to at nipc.gov.) M. -- Mark S. Bruhn, CISSP Chief IT Security and Policy Officer Interim Director, Research and Educational Networking Information Sharing and Analysis Center (ren-isac () iu edu) Office of the Vice President for Information Technology and CIO Indiana University 812-855-0326 Incidents involving IU IT resources: it-incident () iu edu Complaints/kudos about OVPIT/UITS services: itombuds () iu edu ****** \UNCLASSIFIED\\FOR OFFICIAL USE ONLY THIS INFORMATION IS FOR OFFICIAL USE ONLY. PLEASE LIMIT DISTRIBUTION TO SYSTEMS/NETWORK ADMINISTRATORS AND SECTORS WHICH COULD BE ADVERSELY IMPACTED BY CYBER ATTACKS. NSIRC-093-03 SUBJECT: NSIRC ALERT -- Chinese Hackers To Coordinate Plans on 29 March 2003 for Cyber Attacks Against U.S. and UK Computer Systems SUMMARY A group of Chinese hackers are making plans to launch cyber attacks against U.S. and UK information systems in the near future. Although unclear, these cyber attacks may involve web defacements and some sort of distributed denial of service (DDOS) attacks. This report will provide available details concerning this activity and two web sites where the discussions are occurring. DETAILS Chinese hackers are planning to launch cyber attacks against U.S. and UK web sites and information systems on an unknown date. A coordination meeting is set for 29 March 2003 at probably 0730Z between the organizers of these attacks and participants. (COMMENT: The actual wording was 29 March at 1530.) On 17 March 2003, an individual using the handle "LongMarch" (NFI) posted a message to a bulletin board service located at URL http://www.longker.com referencing a planning meeting for participants of upcoming cyber attacks against the U.S. and the UK, but not domestic entities. In this message, there were indications that the participants of the cyber attacks were going to be split into two separate groups: one group that will conduct scanning activities and another group that will carry out the actual attacks. The groups were not to destroy information but to conduct web defacements and post antiwar messages. Additionally, the individuals were "to follow the rules or be expelled." A web site at URL http://www.rvibo.y365.com/index.htm, which may be owned by a possible member of Honker Union of China and identified as "tiger," outlined the time and date for the coordination meeting to be held in the "conference room." (COMMENT: Probably a reference to a chat room.) The coordination meeting was scheduled for 29 March at probably 0730Z for individuals interested in participating in cyber attacks against the U.S. (COMMENT: The actual time for the planning session was listed as 29 March at 3:30 P.M.) In addition, this site listed a series of hacking tools that could be used during these attacks; however, this site also noted that individuals could use their own tools if they so desired. The Windows and Unix tools included scanners and denial of service tools, with some discussions on buffer overflows and virus attacks. Targeted ports may include 23, 69, 80, 111, 139, 1433, and 8080. COMMENT: In March and April 2002, Chinese hackers conducted cyber bulletin board planning for a commemorative cyber attack against the U.S.; however, this attack was cancelled. During the planning stages for this commemorative attack, the Chinese hackers decided to split their collective resources into separate groups; one group was to conduct vulnerability scanning and another group was to carry out attacks. This is very similar to the plans posted in the 17 March 2003 message and may indicate that the cyber attack currently being planned will be similar to the attacks that were to occur in May 2002. ANALYST COMMENTS Since the U.S. and the UK have specifically been mentioned as targets of these attacks, these cyber attacks may be related to the war in Iraq and may target U.S. and UK government and DoD information systems and may occur at any time. However, if these attacks are commemorative in nature, then the attacks may take place during the first week of May. Previously, it has been considered unlikely that Chinese hacker groups would instigate or maintain major cyber attacks without the knowledge and probable acquiescence of the Chinese government. Consequently, one of the main indicators used to monitor possible Chinese hacker activity is the current state of relations between the U.S. and Chinese governments, which is currently on an upward swing. However, recent information indicates dissatisfaction among the Chinese hacker community over recent Chinese government regulations, which may be leading to a change in the Chinese hacking landscape. Therefore, even though there appears to be an upward trend in U.S.- China relations, it is possible that Chinese hackers will attack U.S. government and commercial information systems in spite of the wishes of the Chinese government. Furthermore, prior collaborative attacks planned by the Chinese hacker community, such as the 1 May 2002 attack, have been proceeded by multiple messages and discussions posted on bulletin boards at various hacker web sites. The lack of information on other web sites regarding this activity could be a sign of improved operations security being practiced by Chinese hackers, as opposed to a lack of validity for the current activity. System administrators should be alert for unusual activity and should make every effort to ensure that the latest security patches and upgrades have been made to their systems. The Systems and Network Attack Center, C4, has developed Security Recommendation Guides for Windows XP, 2000, NT, Cisco Routers, E-mail, Executable Content, and other supporting documentation. These guides describe the "best practices" for securing systems. These guides can be downloaded from http://www.nsa.gov/snac/index.html on the Internet or http://www.iad.nsa.smil.mil/library/html/sec-cfg-guides.cfm on SIPRNet. If properly implemented, recommendations in these guides will help prevent the majority of compromises into government systems. FEEDBACK The National Security Incident Response Center (NSIRC) would like to know if the information in this report is of value to your organization. Your feedback will help us provide the best information possible in the future, tailored to customer needs. Should you have any questions or other comments about this report, please e-mail the Leadership Team at x72fb () vc di nsa on NSANet or x72fb () nsa smil mil on SIPRNet or call our office on 968-7851 (NSTS), 244-4881 (DSN), or (410) 854-4881 (CMCL/STU-III). Please direct your technical questions to Ronald Short or Joan Carrier, X72, 968-7851, or email the analyst on SIPRNet at rjshort () nsa smil mil or jrcarri () nsa smil mil on NSANet at rjshort () vc di nsa or jrcarri () vc di nsa. Our goal in producing these advisories/alerts is to make you aware of incidents and vulnerabilities affecting systems within the government and to help you secure your networks to the fullest extent possible. Your feedback is a critical part of this process. REPORTING ATTACKS: Members of the Telecommunications/Information Systems communities, please report information pertaining to any suspected or confirmed attacks to ncs () ncs gov, (703)607-4951. Members of the Federal Government, please report information pertaining to any suspected or confirmed attacks to FedCIRC () fedcirc gov, (888)282-0870. Members of commercial and private sectors please report information pertaining to any suspected or confirmed attacks to nipc.watch () fbi gov, (202) 323-3205. April 02, Associated Press - Thieves take computers containing details on radioactive material. Eight state-owned computers containing details on all of the New Mexico companies that use radioactive material have been stolen, officials said Tuesday. The names, addresses and phone numbers of more than 210 businesses are contained in the stolen computers, along with what radioactive materials each is licensed to have, said Bill Floyd, manager of the state Environment Department's Radiation Control Bureau. Thieves took the eight computer towers from the bureau's office in Santa Fe either Thursday night or early Friday. While the files are legally accessible to the public, anyone seeking them would need to do so under the Freedom of Information Act, Floyd said. He said he believed the culprits were seeking the machines themselves -- not the data in them. Source: http://www.cnn.com/2003/US/Southwest/04/02/radiation.files.a p/index.html 23. April 01, The Oregonian - Al Qaeda supporters hack into student's Web site. The Web site of a Portland State University graduate student was targeted in a wave of Internet hackings supporting al Qaeda. Files planted in Conrado Salas Cano's personal Web site housed threats against the United States, tributes to the September 11 attacks and purported messages from Osama bin Laden. The FBI reportedly launched an investigation, and some cyberterrorism followers said it resembled attacks by al Neda, the online propaganda unit of al Qaeda. Josh Devon, an analyst at the Search for International Terrorist Entities Institute, said some of the pages contain pictures of guns and bomb-making manuals in Arabic. Specific plans of future attacks aren't on the site, although Devon said it's possible they use code words to communicate attacks. Since losing their domain name last summer, Devon said al Neda has been hacking into various sites around the globe to spread its message. Once the sites are discovered and shut down, a new al Neda site pops up within 48 hours. News of the Web sites, he said, spreads by word of mouth and in Arabic newspapers. Source: http://www.oregonlive.com/business/oregonian/index.ssf?/base /business/1049201902166680.xml 24. April 01, Reuters - Website hoax fans virus panic. A teenager's website hoax about a killer virus that is sweeping Hong Kong sparked panicked food buying and hit financial markets on Tuesday, forcing the government to deny it would isolate the entire territory. "We have no plan to declare Hong Kong an infected area," Director of Health Margaret Chan told reporters. "We have adequate supplies to provide (for) the needs of Hong Kong citizens, and there is no need for any panic run on food." In Hong Kong, 685 people are infected by severe acute respiratory syndrome, also known as SARS, and 16 have died from the virus. The fake website scare fueled dismay in the territory adjoining China's Guangdong province, where the virus is believed to have originated four months ago. The hoaxer copied the format of the public Internet portal of the Mingpao, one of Hong Kong's leading newspapers, and posted a message saying the government would declare the city of seven million "an infected place." Source: http://www.wired.com/news/medtech/0,1286,58311,00.html 25. March 31, salon.com - Iraq goes offline. U.S. Tomahawk cruise missiles aimed at destroying Saddam Hussein's propaganda machine reportedly destroyed several satellite dishes and an Internet server housed at Iraq's Ministry of Information building Saturday. Local phone service in the city was also reportedly disrupted by separate missile strikes on two telecommunications switching centers. Yet Babil Online, the home page of an Iraqi newspaper run by Saddam Hussein's son Uday, was still reachable following the bombing. Babil Online may have escaped the attacks because of its physical location -- the site appears to be hosted on a server not in Baghdad but in Beirut, Lebanon. Some observers have speculated that the United States left Iraq's Internet infrastructure untouched for the first week of the war in order to maintain communications with potential defectors in the high ranks of Iraq's government and military personnel. But Peter W. Singer, a fellow at the Brookings Institute, said he doubted that preserving Iraq's Internet capabilities was high on the priority lists of U.S. military planners. "Internet access is still limited mostly to elites in the country. The U.S. is mostly concerned about protecting things like water and electricity and bridges," said Singer. He said the mission of Iraq's Information Ministry has been not only to fire up nationalism but also to manipulate world opinion and to raise international protests against the war. Source: http://www.salon.com/tech/feature/2003/03/31/iraq_offline/in dex.html ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Items of possible interest... Bruhn, Mark S. (Apr 03)