news
Wireless WAN standard gets industry backing Big IT companies including IBM, Microsoft, Intel, Dell, HP and Cisco have spoken in support of the wireless WAN 802.1x standard from IEEE. The standard enables interoperable identification, authentication and dynamic key management. It also enables per-session keys to be generated alongside the usual system of periodic authentication, helping to improve security by preventing the process from becoming stale. Microsoft is set to include the standard in the beta 2 version of Windows XP. It will also offer customer support for the standard to Windows 2000 users. Bill Rossi from Cisco’s wireless networking division said that this “is the first implementation of the 802.1x draft security standard shipping today, and delivers the complete wireless security that will drive the digital renaissance.” Microsoft claims that the strength of its application of the standard in XP will be in the ease of networking for the end user. Jerry Meerkatz at Compaq said that the move would drive the industry towards “ubiquitous, high speed, wireless connectivity for the stateless user.” Dell spokesperson, Tim Peters said, “Notebooks will have the capacity to roam seemlessly...quickly and automatically resuming secure connections.” According to a statement by Microsoft, 802.1x is an exten-
sion of existing standards, making it compatible with management and accounting tools such as RADIUS, Kerberos and LDAP-based directories. This implies that corporations should find it faster and cheaper to deploy because of the lack of implementation difficulties.
VIRUS NEWS
Lion eats penguin A destructive worm which targets Linux BIND DNS server vulnerabilities, is now in the wild. SANS and NIPC issued warnings on 23 March, but quickly had to update them as there was a change in source code following the alert. The worm targets Linux servers running BIND. Once it has found a vulnerable specification, it exploits it and then scans for computers on class B networks, using TCP port-53. It will then query the version and infects those running BIND 8 using the popular transaction signature (TSIG) exploit. The mutation then sets up a HTTP server on port–27374 and erects a page in homage to the Lion crew. Once in, it steals passwords and E-mails them to
[email protected], which means that even after the attack is discovered and repaired, the passwords can still allow a hacker to gain access. This aspect has particular implications for ISPs. Meanwhile, it corrupts files, installs more hacking tools — including the t0rn rootkit — and makes the new victim scan the Internet for fresh prey. It also infiltrates the logging
system, to hide its presence and negate reporting integrity. The program also calls home by reporting victim IP addresses at 12 hour intervals. Although the worm is very destructive and sophisticated in its design, launching it does not require skill. Alan Paller from SANS said, “It's the meanest piece of code I've seen. Its what hackers do manually when they break into a system…You don't have to do anything for it to spread, making it much more dangerous.” If you suspect an attack, the wisest course of action is to apply the Lionfind utility which is available from SANS. It can detect, but not clean, the Lion worm. A SANS spokesperson commented bleakly, “My best advice right now is just to reformat and re-install.”
Virus can hit Linux or Windows Anti-virus vendors have reported the existence of a 'proof of concept' virus capable of attacking both Windows and Linux. It has been christened Winux and is written in assembly language. Winux is classified as low risk, however, because it is unlikely to be able to replicate itself prolifically because users do not tend to share executables between different operating systems. It cannot send itself via E-mail. Ian Hameroff at Computer Associates explained its significance, “Even though it is not spreading, Winux has set a new level in malicious code creation, through its ability to attack both Linux and Windows.”
The stagnant nature of the threat and lack of a serious payload are not as comforting as they might be — the next cross-platform virus is likely to be far more destructive. Winux affects executable files. It seeks files of over 100 KB in the current directory path. When it finds a Windows executable, it overwrites the .reloc section of an EXE file, assuming it is big enough to hold the virus body — if not, the file is spared. ELF files get similar treatment but the original virus code is then stored at the end of the file. According to US anti-virus vendor Central Command, Winux is from the Czech Republic. The firm went public with the new technology when they received a copy within an anonymous E-mail, assumed to have come from the author. It is also said to contain the text, “virus by Benny/29A”. This identifies hacking group 29A as responsible — the group that released the Stream virus in September 2000. 29A also claims that the program is protected by a General Public Licence (GPL). Informed sources say this has caused offense amongst Linux programmers because this is the type of licence commonly used to protect their code. Although it is not the first cross-platform virus, it is the first to be able to target Windows and Linux. Ryan Russell of Security Focus.com explained, “The Morris worm did a couple of flavours of Unix...there are Word macro viruses that can do Mac and Windows.” Central Command has a fix for Winux, it is available at www.avx.com.
5