CERT Coordination Center 1995 Annual Report

From January through December 1995, the CERT Coordination Center received 32,084 email messages and 3,428 hotline calls. We handled 2,412 computer security incidents during this period. More than 12,000 sites were affected by these incidents, which involved 732 break-ins and nearly that many probes and pranks. Among the most serious intruder activities for 1995 are the following.

• IP spoofing
  There was a surge in IP spoofing this year. The year began with an advisory about IP spoofing, and attacks continued throughout the year. In a matter of weeks during the summer, we received more than 170 reports of IP spoofing attacks or probes, many resulting in successful break-ins. We found that several sites believed incorrectly that they were blocking such packets, and other sites had planned to block them but hadn't yet done so.
• Network File Service (NFS) attacks
  This year there was a large increase in the number of attacks relating to weaknesses in NFS. Many of the attacks were successful; moreover, programs to automate these attacks have become widespread in the intruder community. A successful attack usually results in the intruders gaining root access.
• Network scanning
  Intruders have been scanning a large range of network addresses using Internet Security Scanner (ISS). This tool interrogates all computers within a specific address range, determining the security posture of each with respect to several common system vulnerabilities. Intruders have used the information gathered from these scans to compromise sites, and we are aware of many systems that have suffered a root compromise as a result of information intruders obtained from ISS scans.
• Packet sniffers
  This year we continued to receive new incident reports about sniffers on compromised hosts. These sniffers, used to collect account names and passwords, frequently have been installed using a kit. In some cases, the packet sniffer was found to have been running for months. Occasionally, sites had been explicitly warned of the possibility of compromise, but the activity continued because the site did not address the problem in the comprehensive manner we suggest in our security documents.
• Sendmail attacks
  Intruders have been using a variety of techniques to exploit sendmail, with most of the attacks aimed at getting root privileges on the victim machine. This year, we released four CERT advisories and one vendor-initiated bulletin relating to problems with sendmail. In many cases, intruder attacks were successful because sites had not installed upgrades and patches nor taken other precautions such as running the sendmail restricted shell program (smrsh).

The year ended with a series of attacks on Internet sites that resulted in our issuing an alert to network service providers and the network community in general warning them of the intruder activities listed below (list taken from advisory CA-95:18).

• Using automated tools to scan sites for NFS and NIS vulnerabilities
• Exploiting the rpc.ypupdated vulnerability to gain root access
• Exploiting the loadmodule vulnerability to gain root access
• Installing Trojan horse programs and packet sniffers
• Launching IP spoofing attacks

Work continues in 1996 on incidents involving all the types of activity noted in this annual report.