Hi all - Is this kind of security information important for you to receive? Bill Romond -----Original Message----- From: [log in to unmask] [mailto:[log in to unmask]] Sent: Thursday, December 14, 2000 11:03 AM To: [log in to unmask] Subject: [Ansir] ANSIR E-Mail (NIPC Assessment 00-62) 12/14/00 ANSIR E-MAIL: National Infrastructure Protection Center (NIPC) "Anonymous File Transfer Protocol (FTP) Login exploitation" (NIPC Assessment 00-62) Recent Cyber Intrusion: The FBI has become aware that a regional entity in the electric power industry has recently experienced computer intrusions through the Anonymous FTP (File Transfer Protocol) Login exploitation. The intruders used the hacked FTP site to store and play interactive games that consumed 95 percent of the organization's Internet bandwidth. The compromised bandwidth threatened the regional entity's ability to conduct bulk power transactions. The intruders apparently have created an automated exploit that finds a system offering FTP services and an anonymous login, and then examines the entire system tree structure looking for any directory with write privileges. Anonymous FTP Login Exploit Countermeasures: The Anonymous FTP, where the FTP server allows global user access without requiring a specific name and password, is often used by hackers as a means to exploit other vulnerabilities. System Administrators are advised to check their networks for FTP access, especially for illicit FTP servers that can provide a back-door into the LAN (Local-Area-Network). Since this is a configuration issue, patches are not applicable. If Anonymous FTP access is needed at the site, limit the permissions of anonymous users to access other directories, and allow access only to the directories to which you want them to write. Anonymous users should not have permission to write to other directories or to read the directory to which they are allowed to write. System Administrators are also advised to review CERT/CC s article on "Anonymous FTP Abuses" for further information (http://www.cert.org), and to discuss specific countermeasures with their specific security vendors. No single countermeasure will provide complete security. Good security consists of a mix of technical, physical, and personnel security measures with all elements as an integral part of your organizational security plan. Please report any illegal or malicious activities to your local FBI office or the NIPC, and to your military or civilian computer incident response group, as appropriate. Incidents may be reported online at: <http://www.nipc.gov/incident/cirr.htm>www.nipc.gov/incident/cirr.htm. Additional information on the NIPC and NIPC Advisories is available at: <http://www.nipc.gov>www.nipc.gov Recipients are asked to report, actual or suspected, criminal activity to their local FBI office or to NIPC, and to your military or civilian computer response group and other law enforcement agencies as appropriate. Incidents may be reported online at <http://www.nipc.gov/incident/cirr.htm>www.nipc.gov/incident/cirr.htm. This FBI Awareness of National Security Issues and Response (ANSIR) communication is intended for corporate security professionals and others who have requested to receive unclassified national security advisories. Individuals who wish to become direct recipients of FBI ANSIR communications should provide business card information, i.e. company name, address, phone, fax, etc., to <mailto:[log in to unmask]>[log in to unmask] for processing, with a brief description of the product and/or service provided by your organization.