Attacks, Flaws, and Penetrations

Among the news reports of attacks, flaws, and penetrations since the last issue of Cipher were the following:

• October 15: Microsoft confirmed a security flaw in Windows NT registry system that could permit an NT user to perform unauthorized software installations. According to an article in Infoworld, the problem was reported by David LeBlanc of Internet Security Systems. Microsoft has posted an article about the flaw at http://support.microsoft.com/support/kb/articles/q126/7/13.asp.
• October 17, November 4, November 11, and November 21 were the dates on which Microsoft posted successive security fixes for different security problems in Internet Explorer 4.0 identified by users worldwide; see http://www.microsoft.com/ie/security
• October 20: NASA report that ground systems supporting e-mail communications with the space station Mir were infected with a macro virus. In addition, a web server at the Johnson Space Flight Center was shut down and all passwords were reset after they learned a password file might have been compromised. In a separate incident, a NIST spokesperson reported that,following an anonymous tip, a password sniffer was discovered and removed from a NIST system.
• November 7: Reports surfaced that a sequence of code had been identified that, if executed by a Pentium chip (not Pentium Pro or Pentium II, however) would cause it to crash. The reports proved correct.
• November 10: Government Computer News reports that organizers of a Federal Web conference had misconfigured a Lotus Notes database and inadvertently exposed credit card information on an open web site.
• November 10: Security issues in cable modem systems such as those being marketed by @Home Network were the subject of an article in Infoworld. A California subscriber to @Home's service discovered that he could, with a few mouse clicks, gain information from computers located in about 150 remote systems listed in the Network Neighborhood.
• November 17: An article in Government Computer News reported that a citizen of the People's Republic of China working for a contractor to the U.S. Air Force had, more than a year ago, stolen passwords for an unclassified computer system, copied them, and posted them on the Internet. Lt. Gen. Kenneth Minihan, director of the National Security Agency, revealed that more than 250 Defense Department systems were penetrated last year, and that that number is expected to double this year, according to a separate GCN report.