Slashdot Mirror

← Back to Domains

Domain: sans.org

Stories and comments across the archive that link to sans.org.

Stories · 129

  1. Five Hackers Who Left a Mark on 2006

    It · Security · · posted by ScuttleMonkey · from the who-stole-the-spotlight dept. · 75 comments
    espera un momento writes "eweek.com picks the five hackers who made a significant impact on security and vulnerability research in 2006. These are some interesting choices of the guys (and gal) who dominated the media headlines. The topics covered included Wi-Fi bugs, browser flaws and rootkits."

  2. Microsoft Issues Zero-Day Attack Alert For Word

    It · Security · · posted by kdawson · from the incoming dept. · 483 comments
    0xbl00d writes "Eweek.com is reporting a new Microsoft Word zero-day attack underway. Microsoft issued a security advisory to acknowledge the unpatched flaw, which affects Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac and Microsoft Word 2004 v. X for Mac. The Microsoft Works 2004, 2005 and 2006 suites are also affected because they include Microsoft Word. Simply opening a word document will launch the exploit. There are no pre-patch workarounds or anti-virus signatures available. Microsoft suggests that users 'not open or save Word files,' even from trusted sources."

  3. How to Prevent Form Spam Without Captchas

    · posted by ryuzaki0 · from the can't-beat-the-curte-power-of-kittenauth dept. · 272 comments
    UnderAttack writes "Spam submitted to web contact forms and forums continues to be a huge problem. The standard way out is the use of captchas. However, captchas can be hard to read even for humans. And if implemented wrong, they will be read by the bots. The SANS Internet Storm Center covers a nice set of alternatives to captchas. For example, the use of style sheets to hide certain form fields from humans, but make them 'attractive' to bots. The idea of these methods is to increase the work a spammer has to do to spam the form without inconveniencing regular users."

  4. How to Prevent Form Spam Without Captchas

    · posted by ryuzaki0 · from the can't-beat-the-curte-power-of-kittenauth dept. · 272 comments
    UnderAttack writes "Spam submitted to web contact forms and forums continues to be a huge problem. The standard way out is the use of captchas. However, captchas can be hard to read even for humans. And if implemented wrong, they will be read by the bots. The SANS Internet Storm Center covers a nice set of alternatives to captchas. For example, the use of style sheets to hide certain form fields from humans, but make them 'attractive' to bots. The idea of these methods is to increase the work a spammer has to do to spam the form without inconveniencing regular users."

  5. Demo Virus For Mac OS X Released

    · posted by ryuzaki0 · from the i-don't-think-i'll-download-that-demo dept. · 268 comments
    Juha-Matti Laurio writes "Heise Security has a report about new Proof of Concept virus for Mac entitled as OSX.Macarena by AV vendor Symantec. Symantec suffered from a slight lapse when it recommended in the first version of the virus description that users clean the system by deactivating the system restoration (Windows ME/XP). It is known that the virus infects other data in the folder in which it is started, regardless of extension, says Heise."

  6. IE7 Released As High-Priority Update

    · posted by ryuzaki0 · from the meet-the-new-boss dept. · 438 comments
    jimbojw writes, "Internet Explorer 7 was finally released this morning and is available via automatic update or download from Microsoft." And an anonymous reader notes stats on IE7 and FF2 downloads, adding: "Looks like FF2 is already outnumbering FF 1.5, while IE7 is having a hard time to find followers. Will today's release as a high-priority, force-fed update fix this issue?" The sans.org stats site will be updated throughout the day, so perhaps we'll get an indication.

  7. Zero-Day Team Launches with Emergency IE Patch

    · posted by ryuzaki0 · from the heroes-of-the-buggy dept. · 157 comments
    Holy Mother of Thor writes to mention an eWeek article about a third-party patch for Internet Explorer. A dark horse security group formed after the WMF attacks in late 2005, the ZERT (Zero Day Emergency Response Team) has released a patch to attempt to slow the malware attacks on Windows. From the article: "'It is clear that we are dealing with an underground group of people who are writing exploits for profits. They are waiting for Patch Tuesday to pass, then it becomes Exploit Wednesday. We're seeing these zero-days in the wild, timed precisely to guarantee at least an entire month to spread,' Stewart said in an interview with eWEEK. Stewart, who is volunteering his reverse-engineering skills and time to ZERT in his private capacity, wrote an early version of the VML (Vector Markup Language) patch the group released Sept. 22 and worked closely with others to fine-tune the update to minimize potential glitches."

  8. Former MS Security Strategist Joins Mozilla

    · posted by ryuzaki0 · from the jumping-the-fence dept. · 248 comments
    Handset writes "Former Microsoft security strategist Window Snyder is joining Mozilla to lead the company's effort to protect its range of desktop applications from malicious hacker attacks. eweek.com reports that Snyder, who was responsible for security sign-off for Microsoft's Windows XP Service Pack 2 and Windows Server 2003, will spearhead Mozilla's security strategy and improve its communications with external hackers and bug finders."

  9. MS Security Guru Leaves for Amazon.com

    · posted by ryuzaki0 · from the leaving-is-hard-to-do dept. · 103 comments
    Rocky Mann writes "Jesper Johansson, a security guru for Microsoft, is leaving the company to join Amazon.com. Johansson served for some five years as a 'senior security strategist', and is considered one of the world's leading experts on how to protect installations of Windows." From the article: "Johansson is also an advocate for the use of safe-passwords techniques in the enterprise. At the height of the WMF zero-day attacks earlier in 2006, Johansson offered measured advice on the use of unofficial patches and he was constantly on the move, traveling around the world to help customers figure out how to use Microsoft's products securely."

  10. Windows Rootkit Wars Escalate

    · posted by ryuzaki0 · from the most-secure-version-of-windows-ever dept. · 342 comments
    An anonymous reader writes "The rootkit wars have started to escalate with a rootkit named Rustock which is able to remain hidden from all the popular anti-rootkit tools. It uses some new techniques including not only putting itself in a ADS (NTFS alternate data stream) which isn't seen by normal file system enumeration tools, but even blocks ADS aware tools from seeing the stream. Works in Vista, too! Analysis in both Symantec and F-Secure blogs."

  11. Predicting Malware

    · posted by ryuzaki0 · from the seasonal-malice dept. · 61 comments
    Pseudonymous B*ard writes "SANS has an interesting article showing how to predict what forms future malware will take. For example, last year there were many hurricane-related scams, while this year, another bad hurricane season is predicted. SANS has noticed that the scammers are gearing up for this and that many new domains with the words Alberto, Beryl, donation, and hurricane have been registered (Alberto & Beryl are the first two names on the hurricane list). The only question now is whether hackers will be able to preempt any of these scams before they have a chance to be used?"

  12. Return of the Web Mob

    · posted by ryuzaki0 · from the cement-shoes-for-everyone dept. · 146 comments
    Parore writes "eWeek is running a story about the return of the web mob, highlighting all the similiarities between the online attacks and the real-world mafia. From the article: "Black hat hackers have set up e-commerce sites offering private exploits capable of evading anti-virus scanners. An e-mail advertisement intercepted by researchers contained an offer to infect computers for use in botnets at $25 per 10,000 hijacked PCs. Skilled hackers in Eastern Europe, Asia and Latin America are selling zero-day exploits on Internet forums where moderators even test the validity of the code against anti-virus software."

  13. Ambidextrous Linux/Windows Virus

    · posted by ryuzaki0 · from the getting-it-from-both-ends dept. · 361 comments
    Lam1969 writes "Kaspersky Labs has reported a new proof-of-concept virus that can infect both Windows and Linux systems. It's called Virus.Linux.Bi.a/Virus.Win32.Bi.a and affects ELF binaries and .exe's from windows. SANS has a brief item on the cross-platform virus as well, but no information about a patch or signature yet."

  14. Hacked Chinese Bank Server Phishes for US Banks

    · posted by ryuzaki0 · from the why-do-people-fall-for-these-things? dept. · 47 comments
    1sockchuck writes "A Chinese bank's servers are being used in phishing attacks against U.S. institutions, apparently the first time one bank's infrastructure has been used in attacks on other banks. A hacked server from China Construction Bank Shanghai Branch is hosting pages spoofing Chase and eBay. The scam is one of numerous sites using a social engineering hook promising a $20 reward for recipients who complete a survey about the bank's online services. It then asks for your account login and password - so it can deposit the $20 in the correct account, of course. Plus your Social Security number, mother's maiden name etc."

  15. McAfee Anti-Virus Causes Widespread File Damage

    · posted by ryuzaki0 · from the who-can-you-trust? dept. · 353 comments
    AJ Mexico writes, "[Friday] McAfee released an anti-virus update that contained an anomaly in the DAT file that caused many important files to be deleted from affected systems. At my company, tens of thousands of files were deleted from dozens of servers and around 2000 user machines. Affected applications included MS Office, and products from IBM (Rational), GreenHills, MS Office, Ansys, Adobe, Autocad, Hyperion, Win MPM, MS Shared, MapInfo, Macromedia, MySQL, CA, Cold Fusion, ATI, FTP Voyager, Visual Studio, PTC, ADS, FEMAP, STAT, Rational.Apparently the DAT file targeted mostly, if not exclusively, DLLs and EXE files." An anonymous reader added, "Already, the SANS Internet Storm Center received a number of notes from distressed sysadmins reporting thousands of deleted or quarantined files. McAfee in response released advice to restore the files. Users who configured McAfee to delete files are left with using backups (we all got good backups... or?) or System restore."

  16. Searching for Botnet Command & Controls

    · posted by ryuzaki0 · from the i-want-them-alive-no-disintegrations dept. · 114 comments
    Orange Eater writes "eWeek has a story about a group of high-profile security researchers intensifying the search for the command-and-control infrastructure used to power botnets for malicious use. The idea is to open up a new reporting mechanism for ISPs and IT administrators to report botnet activity." From the article: "Operating under the theory that if you kill the head, the body will follow, a group of high-profile security researchers is ramping up efforts to find and disable the command-and-control infrastructure that powers millions of zombie drone machines, or bots, hijacked by malicious hackers."

  17. Professor 'Packetslinger' Assigns Questionable Task

    · posted by ryuzaki0 · from the applications-flooding-in-for-the-school-of-loose-screws dept. · 411 comments
    mrowton writes "A professor at an undisclosed university recently assigned a practical for his computer-security class. The practical, which is worth 15 percent of the students final grade, requires students to perform reconnaissance on an internet server using tools available in the public domain. While the university is allowing the practical to continue it has also stated that the techniques should not be performed on their own web servers. If students are caught performing any scans against university computers then it would prompt: "Disabling their student account and referring them to the Student Dean of Corrections." The assignment was enough for SANS to dub him 'Professor Packetslinger of the School of Loose Screws.'"

  18. Phishing Site Using Valid SSL Certificates

    It · Security · · posted by ScuttleMonkey · from the new-phace-of-phishing dept. · 368 comments
    UnderAttack writes to tell us the Washington Post SecurityFix blog has an interesting article about a new and rather sophisticated phishing scheme. The email not only used the first few digits of the users card number to look more plausible (even though the first part of the number is the same for all cards), but it also used a valid SSL certificate for its domain name."

  19. Trustworthy Computing

    Tech · Windows · · posted by Hemos · from the how-to-solve-these-issues dept. · 465 comments
    Anonymous Coward writes "This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one."

  20. Trustworthy Computing

    Tech · Windows · · posted by Hemos · from the how-to-solve-these-issues dept. · 465 comments
    Anonymous Coward writes "This is a first: the Internet Storm Center is recommending trustworthy computing. They want you to trust that the unofficial patch for the Windows Metafile Volunerability that is currently being exploited by an IM worm. No patch from Microsoft at this time, and the exploit is arranged in such a manner that it cannot be detected by most intrusion detection systems (the snort rule will peg the CPU on your router) nor filtered by packet-inspecting firewalls (it spans two or more ethernet frames). Not really a whole lot of choice about this one."

  21. New IM Worm Exploiting WMF Vulnerability

    It · Worms · · posted by CmdrTaco · from the happy-new-years-windows-users dept. · 360 comments
    An anonymous reader writes "After less than a four days after original mailing list posting there are reports about a new Instant Messaging worm exploiting unpatched Windows Metafile vulnerability. This worm is using MSN to spread, reports Viruslist.com."

  22. "Dasher" Worm Brings Christmas Keylogger

    It · Worms · · posted by CowboyNeal · from the sneaking-in-through-the-chimney dept. · 114 comments
    An anonymous reader writes "A worm called 'Dasher' is exploiting a flaw in Windows that Microsoft issued a patch for in October, dropping keyloggers on infected machines, according to F-Secure. The SANS Internet Storm Center warned earlier this week about the weird traffic generated by the first version of this worm, which apparently was crippled by programming errors. Washingtonpost.com has some information that indicates the worm appears to have originated in China. It appears from the Microsoft advisory that Dasher is a threat mainly to Windows 2000 users, although it could impact Windows Server 2003 and Windows XP users who aren't running SP2." Update: 12/17 17:20 GMT by Z : Fixed link to SANS center.

  23. MS05-039 Worm in the Wild

    It · Worms · · posted by CmdrTaco · from the brace-for-impact dept. · 252 comments
    An anonymous reader noted that SANS is reporting that the MS05-039 worm is in the wild. It has been named Zotob.A. Not a lot of information on this one yet except that it's trying to FTP files from a subnet.

  24. Internet Security Warnings

    It · Security · · posted by CmdrTaco · from the we-have-a-code-yellow-people-this-is-not-a-drill-omg-freak-out dept. · 296 comments
    Juha-Matti Laurio writes "Internet Storm Center's Diary reported today: Due to a number of very well working Windows exploits for this weeks patch set, and the zero-day Veritas exploit, we decided to turn the Infocon to yellow. The following Internet Threat Level meters are at level 2/4 because of Windows Plug and Play vulnerability's several exploit codes too: Symantec ThreatCon as a part of global DeepSight Threat Management System saying Increased alertness and Internet Security Systems X-Force with Increased vigilance at AlertCon."

  25. Internet Security Warnings

    It · Security · · posted by CmdrTaco · from the we-have-a-code-yellow-people-this-is-not-a-drill-omg-freak-out dept. · 296 comments
    Juha-Matti Laurio writes "Internet Storm Center's Diary reported today: Due to a number of very well working Windows exploits for this weeks patch set, and the zero-day Veritas exploit, we decided to turn the Infocon to yellow. The following Internet Threat Level meters are at level 2/4 because of Windows Plug and Play vulnerability's several exploit codes too: Symantec ThreatCon as a part of global DeepSight Threat Management System saying Increased alertness and Internet Security Systems X-Force with Increased vigilance at AlertCon."

  26. PHP Blogging Apps Open to XML-RPC Exploits

    Tech · Internet · · posted by Zonk · from the batten-down-the-hatches dept. · 166 comments
    miller60 writes "A bunch of popular PHP-based blogging and content management apps are vulnerable to a security hole in the PHP libraries handling XML-RPC, which could allow a server compromise. Affected apps include Wordpress, Drupal, PostNuke, Serendipity, phpAdsNew, phpWiki and many more. The presence of the security hole in a large number of programs is among the factors leading the Internet Storm Center to warn that the environment is ripe for a major Internet security event."

  27. DNS Cache Poisoning Update

    It · Security · · posted by Zonk · from the trustno1 dept. · 199 comments
    dhammabum writes "Todays SANS internet storm handler has put up an excellent update of the DNS poisoning vulnerability currently doing the rounds. The main points are that only Windows DNS servers are vulnerable (degrees of vulnerability depending on patch level), provided you are not running an ancient version of bind. Also bind4 and bind8 do not clean poisoned caches if they receive them from a poisoned Windows DNS server but bind9 does."

  28. DNS Cache Poisoning Spreads Malware

    Tech · Internet · · posted by timothy · from the cold-hard-cache dept. · 314 comments
    Gamma_UCF writes "As of April 4, 2005 the SANS Internet Storm Center has raised their alert level to Yellow following a rash of active DNS poisonings. The infected DNS servers are re-directing users from popular sites such as Google or American Express to malware infecting advertising sites. According to the ISC presentation on the attack, it is believed to be linked to known spammers and malware distributors. The full presentation of information up until this point can be found here."

  29. DNS Cache Poisoning Spreads Malware

    Tech · Internet · · posted by timothy · from the cold-hard-cache dept. · 314 comments
    Gamma_UCF writes "As of April 4, 2005 the SANS Internet Storm Center has raised their alert level to Yellow following a rash of active DNS poisonings. The infected DNS servers are re-directing users from popular sites such as Google or American Express to malware infecting advertising sites. According to the ISC presentation on the attack, it is believed to be linked to known spammers and malware distributors. The full presentation of information up until this point can be found here."

  30. GIAC/SANS Certification Changes?

    Ask · Security · · posted by Cliff · from the values-in-practicality dept. · 27 comments
    venom600 wonders: "SANS and GIAC have recently changed their certification requirements, no longer requiring a practical assignment be completed in order to be certified. This has created some discussion around the value of their certifications moving forward. In addition, SANS recently asked current certified individuals (in an email) to provide quotes about the value of their certifications for an upcoming brochure. Since the requirements have changed, the value of the certification has changed as well, making any quotes an unfair assessment of value. This brings me to my question: What IT security certifications are left (if any) that actually provide value to you?"

  31. Worm Hits Windows Machines Running MySQL

    It · Worms · · posted by michael · from the batten-the-ports-prepare-for-heavy-weather dept. · 367 comments
    UnderAttack writes "A report on the Australian whirlpool forum suggest that a worm is currently taking out MySQL servers running on Windows. We have seen this happen with MSSQL before (not just 'Slammer', but also SQLSnake that used SA accounts without password). The SANS Internet Storm Center suggests that a rise in port 3306 scans can be attributed to the new worm, and is asking for observations to help figure this out. It appears the worm creates a file called 'spoolcll.exe'."

  32. Worm Hits Windows Machines Running MySQL

    It · Worms · · posted by michael · from the batten-the-ports-prepare-for-heavy-weather dept. · 367 comments
    UnderAttack writes "A report on the Australian whirlpool forum suggest that a worm is currently taking out MySQL servers running on Windows. We have seen this happen with MSSQL before (not just 'Slammer', but also SQLSnake that used SA accounts without password). The SANS Internet Storm Center suggests that a rise in port 3306 scans can be attributed to the new worm, and is asking for observations to help figure this out. It appears the worm creates a file called 'spoolcll.exe'."

  33. Worm Hits Windows Machines Running MySQL

    It · Worms · · posted by michael · from the batten-the-ports-prepare-for-heavy-weather dept. · 367 comments
    UnderAttack writes "A report on the Australian whirlpool forum suggest that a worm is currently taking out MySQL servers running on Windows. We have seen this happen with MSSQL before (not just 'Slammer', but also SQLSnake that used SA accounts without password). The SANS Internet Storm Center suggests that a rise in port 3306 scans can be attributed to the new worm, and is asking for observations to help figure this out. It appears the worm creates a file called 'spoolcll.exe'."

  34. Worm Hits Windows Machines Running MySQL

    It · Worms · · posted by michael · from the batten-the-ports-prepare-for-heavy-weather dept. · 367 comments
    UnderAttack writes "A report on the Australian whirlpool forum suggest that a worm is currently taking out MySQL servers running on Windows. We have seen this happen with MSSQL before (not just 'Slammer', but also SQLSnake that used SA accounts without password). The SANS Internet Storm Center suggests that a rise in port 3306 scans can be attributed to the new worm, and is asking for observations to help figure this out. It appears the worm creates a file called 'spoolcll.exe'."

  35. The Web's 20 Worst Security Flaws

    It · Security · · posted by timothy · from the ie-is-one-through-seven dept. · 214 comments
    XsynackX writes "The SANS Institute released its Top-20 list of the biggest vulnerabilities on the web today. The SANS Top 20 Internet Security Vulnerabilities list is actually a compilation of two lists--the top 10 Windows vulnerabilities and the top 10 Unix vulnerabilities. The list goes into almost more detail than any one person could ever take in on individual security flaws, but provides a wealth of knowledge for those who like to get in-depth. Interestingly enough, the browser section of the Windows vulnerabilities lists everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7."

  36. The Web's 20 Worst Security Flaws

    It · Security · · posted by timothy · from the ie-is-one-through-seven dept. · 214 comments
    XsynackX writes "The SANS Institute released its Top-20 list of the biggest vulnerabilities on the web today. The SANS Top 20 Internet Security Vulnerabilities list is actually a compilation of two lists--the top 10 Windows vulnerabilities and the top 10 Unix vulnerabilities. The list goes into almost more detail than any one person could ever take in on individual security flaws, but provides a wealth of knowledge for those who like to get in-depth. Interestingly enough, the browser section of the Windows vulnerabilities lists everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7."

  37. The Web's 20 Worst Security Flaws

    It · Security · · posted by timothy · from the ie-is-one-through-seven dept. · 214 comments
    XsynackX writes "The SANS Institute released its Top-20 list of the biggest vulnerabilities on the web today. The SANS Top 20 Internet Security Vulnerabilities list is actually a compilation of two lists--the top 10 Windows vulnerabilities and the top 10 Unix vulnerabilities. The list goes into almost more detail than any one person could ever take in on individual security flaws, but provides a wealth of knowledge for those who like to get in-depth. Interestingly enough, the browser section of the Windows vulnerabilities lists everyone's favorite browser Internet Explorer with 15 flaws and Mozilla with only 7."

  38. GDI Vulnerabilities: An Open Letter to Microsoft

    It · Security · · posted by michael · from the your-call-is-important-to-them dept. · 444 comments
    UnderAttack writes "Tom Liston, the guy that brought us the LaBrea Tarpit, wrote an open letter to Microsoft regarding the GDI JPEG vulnerability, and Microsoft's scanning tool for this vulnerability, which he calls 'worse then useless'. Tom, who wrote his own scanning tool, ends his letter with 'Please stop treating your customers like idiots and give us information; information that we can use.' Like Tom explains, the official Microsoft scanning tool misses a lot of vulnerable DLL's installed by third parties, and Microsoft fails to explain if these libraries are a problem or not."

  39. GDI Vulnerabilities: An Open Letter to Microsoft

    It · Security · · posted by michael · from the your-call-is-important-to-them dept. · 444 comments
    UnderAttack writes "Tom Liston, the guy that brought us the LaBrea Tarpit, wrote an open letter to Microsoft regarding the GDI JPEG vulnerability, and Microsoft's scanning tool for this vulnerability, which he calls 'worse then useless'. Tom, who wrote his own scanning tool, ends his letter with 'Please stop treating your customers like idiots and give us information; information that we can use.' Like Tom explains, the official Microsoft scanning tool misses a lot of vulnerable DLL's installed by third parties, and Microsoft fails to explain if these libraries are a problem or not."

  40. Curing a Corporate Virus Infection

    It · Security · · posted by michael · from the lift-off-and-nuke-the-site-from-orbit dept. · 346 comments
    museumpeace writes "Over at Internet Storm Center Deb Hale's 'In search of the bot net' entry for September 25 recounts a grueling hunt for all the .exe's, reg entries and sources for a bot infection of a 60 server corporate network. What a nightmare! The story ends with an indictment of careless users and a suspicion that Ares, one of the sloppier Pirate2Pirate filesharing tools was the original souce of the extensive corruption that eventually even crippled the AV tools. How typical is this sort of grief? [More more frequent than reported, I would expect: the corporate victim demanded anonymity for the story to be told]."

  41. Curing a Corporate Virus Infection

    It · Security · · posted by michael · from the lift-off-and-nuke-the-site-from-orbit dept. · 346 comments
    museumpeace writes "Over at Internet Storm Center Deb Hale's 'In search of the bot net' entry for September 25 recounts a grueling hunt for all the .exe's, reg entries and sources for a bot infection of a 60 server corporate network. What a nightmare! The story ends with an indictment of careless users and a suspicion that Ares, one of the sloppier Pirate2Pirate filesharing tools was the original souce of the extensive corruption that eventually even crippled the AV tools. How typical is this sort of grief? [More more frequent than reported, I would expect: the corporate victim demanded anonymity for the story to be told]."

  42. Survival Time for Unpatched Systems Cut by Half

    It · Security · · posted by CmdrTaco · from the fire-your-walls dept. · 460 comments
    UnderAttack writes "The Internet Storm Center published a graph showing historic trends for the "Survival Time" of unpatched, unprotected (windows) computers connected to the internet. Turns out, this number dropped from about 40 minutes last year, to 20 minutes this year. The survival time is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe. The data is collected from a large number of networks with different types of upstream protection. So if you are on an unprotected cable/DSL line, you may see probes much more frequently. Either way, 20 minutes is not long enough to download patches. The Honeynet Project did publish a paper with some stats back in 2001."

  43. Survival Time for Unpatched Systems Cut by Half

    It · Security · · posted by CmdrTaco · from the fire-your-walls dept. · 460 comments
    UnderAttack writes "The Internet Storm Center published a graph showing historic trends for the "Survival Time" of unpatched, unprotected (windows) computers connected to the internet. Turns out, this number dropped from about 40 minutes last year, to 20 minutes this year. The survival time is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe. The data is collected from a large number of networks with different types of upstream protection. So if you are on an unprotected cable/DSL line, you may see probes much more frequently. Either way, 20 minutes is not long enough to download patches. The Honeynet Project did publish a paper with some stats back in 2001."

  44. Survival Time for Unpatched Systems Cut by Half

    It · Security · · posted by CmdrTaco · from the fire-your-walls dept. · 460 comments
    UnderAttack writes "The Internet Storm Center published a graph showing historic trends for the "Survival Time" of unpatched, unprotected (windows) computers connected to the internet. Turns out, this number dropped from about 40 minutes last year, to 20 minutes this year. The survival time is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe. The data is collected from a large number of networks with different types of upstream protection. So if you are on an unprotected cable/DSL line, you may see probes much more frequently. Either way, 20 minutes is not long enough to download patches. The Honeynet Project did publish a paper with some stats back in 2001."

  45. Windows XP SP2 Impressions

    Tech · Windows · · posted by michael · from the do-you-feel-lucky? dept. · 683 comments
    A roundup of concerns and problems with Windows XP SP2 from the early adopters: Many, many users are reporting problems with SP2 limiting outbound TCP/IP connections. This appears to be nailing anyone who makes heavy network use of their machine, including especially users running P2P applications. A Microsoft blog rounds up some reports, as does SANS. Microsoft has objected to people helping them distribute SP2.

  46. Analysis of Spyware

    Yro · Privacy · · posted by timothy · from the incompatable-with-my-OS dept. · 246 comments
    scubacuda writes "What actually happens when you install adware/spyware/malware? Follow the Bouncing Malware examines what's downloaded, redirected, and obfuscated. A fascinating read. (Part two was postponed in order to cover a new My Doom variant.)"

  47. Analysis of Spyware

    Yro · Privacy · · posted by timothy · from the incompatable-with-my-OS dept. · 246 comments
    scubacuda writes "What actually happens when you install adware/spyware/malware? Follow the Bouncing Malware examines what's downloaded, redirected, and obfuscated. A fascinating read. (Part two was postponed in order to cover a new My Doom variant.)"

  48. Latest MyDoom Variant Gives Google Problems

    Tech · Google_Fb · · posted by simoniker · from the down-and-out dept. · 607 comments
    Devil's BSD writes "It seems like the latest MyDoom worm variant has caused a bit of an Internet storm. Google, at this time (12:28 EDT), is returning 503 errors on all queries submitted from certain locations. The MyDoom variant searches the user's address book for email domains (i.e. @yahoo.com) and searches various engines (such as Google) for email addresses in that domain."

  49. New Windows Worm on the Loose

    It · Security · · posted by michael · from the batten-down-your-ports dept. · 622 comments
    Dynamoo writes "The Internet Storm Center has issued a Yellow Alert due to the spread of the Sasser worm exploiting Windows 2000 and XP machines through a documented flaw in the Local Security Authority Subsystem Service (LSASS) as described in Microsoft Bulletin MS04-011. Initial analysis seems to indicate classic Blaster-style worm behaviour. Right now I'm just getting a probe every 10 minutes or so on my firewall, but this is bound to escalate sharply as the pool of infected machines grows. Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? More information at Computer Associates, F-Secure, Symantec and McAfee."

  50. New Windows Worm on the Loose

    It · Security · · posted by michael · from the batten-down-your-ports dept. · 622 comments
    Dynamoo writes "The Internet Storm Center has issued a Yellow Alert due to the spread of the Sasser worm exploiting Windows 2000 and XP machines through a documented flaw in the Local Security Authority Subsystem Service (LSASS) as described in Microsoft Bulletin MS04-011. Initial analysis seems to indicate classic Blaster-style worm behaviour. Right now I'm just getting a probe every 10 minutes or so on my firewall, but this is bound to escalate sharply as the pool of infected machines grows. Of course all good Windows-using Slashdotters visit Windows Update regularly and have a firewall, don't you? More information at Computer Associates, F-Secure, Symantec and McAfee."