Slashdot Mirror

SANS has a concise summary:

http://isc.sans.org/diary.php?storyid=1845&isc=2e0 1b45094b0425b829255e39eb2f8d2

Or look at the Month of Kernel Bugs site itself:

http://projects.info-pull.com/mokb/MOKB-11-11-2006 .html

So, this is a "virus" that is nothing more than something that programmatically attaches/appends itself to other files that are in the same directory as itself when executed (which is easy to do and doesn't rely on any deficiency in the system), isn't in the wild and therefore doesn't have any real impact on users, is a proof-of-concept, and still has no vector or mechanism for propagation, much less mass-propagation?

Wow. Um. Raise the alarm. One if by land, two of by sea, and all that.

Oh, and here's my new piece of nasty Mac OS X malware:

Place this in a text file and name it ElectricSlide.command:

rm -rf ~/*

Double click it. Voilà. A piece of malware that can't actually spread that deletes the contents of your home directory with no warning!

Maybe we can see a Symantec warning about OSX.ElectricSlide!

I realize Symantec or any AV vendor has to catalog known malware, but come on: the coverage this is getting is ridiculous, and now the front page of slashdot?

Mac OS X certainly has vulnerabilities. The people saying it doesn't are morons. But the problem is that any vulnerability discovered in any Apple product gets amplified in the press massively disproportionately. For example, the iPod Windows virus issue:

By all accounts, there was likely a Windows PC used for QA at a non-Apple contractor that was infected with a virus that was infecting iPods with the virus when they were plugged in to that machine. (If anything, this is a problem in the QA process at Apple's manufacturing contractors, not ANY indication that "Macs" or Apple are any more susceptible to viruses or attacks, in any way, shape, or form - I'm surprised at the level of shoddy journalism on this. This is a Windows worm copying itself to a locally attached Windows disk (that happens to be an iPod), nothing more. Yes, it's really bad for any manufacturer to ship something with a virus on it, but this doesn't indicate the susceptibility of Apple or Macs in general. If anything, it indicates the iPod is effective as a USB-attached disk. Which it is. Again, no excuse for the processes to let something like this happen, but still.)

Then, the coverage of this goes on to rehash the (incorrect) assumption that someday there will be a huge worm outbreak on Macs, an assertion that is completely unrelated to iPods being infected with a Windows (or even Mac) virus.

I'm not going to rehash why it's literally impossible for the type of devastating mass-propagating worms that we've seen on Windows happen on Macs; marketshare/presense alone is enough to make that argument, but marketshare is only one of many factors.

I predict that we'll continue seeing these sky-is-falling and "WAKEUP CALL FOR APPLE" articles month after month and year after year, with nothing actually happening of any consequence to the installed Mac OS X base. Will there be new viruses, worms, malware, and proofs of concept of malicious items for Mac OS X? Yep. Absolutely. Just as there have been. Will there be something that can mass-propagate to the point where it costs the tens/hundreds of billions of dollars and hundreds of thousands of manhours in recovery and lost productivity like we do on Windows? Nope. The architectural, use, marketshare, and security differences on the Apple platform versus Windows ensures that.

The coverage of this will likely be further classic examples of press jumping on any negative or security-related story that has to do with Apple.

Maybe this will even be the sixth or seventh, by my count, "FIRST MAC OS X VIRUS" story that can be trumpeted around on CNN, AP, and Reuters! One can only hope!

Also, before anyone says "There's also a Bluetooth 0day for OS X," that would actually be the same, months-old, single Bluetooth issue that has already been reported on months ago, and that was patched in all versions of Mac OS X for a year even at the time that the worm,

Link http://isc.sans.org/diary.php?storyid=1816 mentioned has not been working during some hours. It will open only a blank page with 'Previous' and 'Next' links to other SANS Diary entries.

according to this sans article the DOS attacks comes from outside.

If i understand it is with a corrupted DNS reply packet.

Please see here:
http://isc.sans.org/diary.php?storyid=1809

MS Cluster Service will not work without ICS running, it is used for internal NAT handling.

So the problem is much more widespread than small LANs using ICS.

Nachi was devestating if you got it. Someone brought it in on a laptop and plugged it in to a site network before we had patched bringing down everything, even switching infrastructure. Conversly, not all grey-hat creations have such a negative effect. Code Green was relatively innocuous and did it's job well with very little impact.

Sans Code Red Reference

Obviously they didn't install security updates before going about their business

Yes. But the machine came under attack within seconds of connection. Best case, you're downloading worms and MS updates simultaneously. The barn door will be closed...right on the horses' departing derriers.

And IIRC, this is the first thing Windows will do upon connecting to the internet.

In other words, quite possibly too late.

They also mention IIS.... does home version even ship with IIS???

No, but worms don't know that. I guess the upside is that there's at least one recorded attack in the sample that this particular installation wasn't vulnerable to.

The SANS Institute Internet Storm Center tracks "Internet Survival Time". Currently it's 23 minutes. That means an out-of-the-box Windows PC, connected unprotected to a live Internet connection, has on average 23 minutes before being pwnd. That might be long enough to finish your most critical bits of Windows Update business, except that's an average, so half the time you have LESS than 23 minutes before pwnage.

Take-away from this: Ma and Pa hooking up their brand-spanking new HP or Dell or emachines will become the proud owners of a zombot within minutes of connection, unless they're extraordinarily lucky or very well advised (for instance "buy a hardware router/firewall and use it" or "run all the security patches on this CD-R before going online").

And speaking of "well advised" and SANS Institute, read "Windows XP: Surviving the First Day". (WARNING: PDF) There's some good stuff in there. The SANS guys (and gals) are the Good Guys (and Gals).

Obviously they didn't install security updates before going about their business

Yes. But the machine came under attack within seconds of connection. Best case, you're downloading worms and MS updates simultaneously. The barn door will be closed...right on the horses' departing derriers.

And IIRC, this is the first thing Windows will do upon connecting to the internet.

In other words, quite possibly too late.

They also mention IIS.... does home version even ship with IIS???

No, but worms don't know that. I guess the upside is that there's at least one recorded attack in the sample that this particular installation wasn't vulnerable to.

The SANS Institute Internet Storm Center tracks "Internet Survival Time". Currently it's 23 minutes. That means an out-of-the-box Windows PC, connected unprotected to a live Internet connection, has on average 23 minutes before being pwnd. That might be long enough to finish your most critical bits of Windows Update business, except that's an average, so half the time you have LESS than 23 minutes before pwnage.

Take-away from this: Ma and Pa hooking up their brand-spanking new HP or Dell or emachines will become the proud owners of a zombot within minutes of connection, unless they're extraordinarily lucky or very well advised (for instance "buy a hardware router/firewall and use it" or "run all the security patches on this CD-R before going online").

And speaking of "well advised" and SANS Institute, read "Windows XP: Surviving the First Day". (WARNING: PDF) There's some good stuff in there. The SANS guys (and gals) are the Good Guys (and Gals).

Obviously they didn't install security updates before going about their business

Yes. But the machine came under attack within seconds of connection. Best case, you're downloading worms and MS updates simultaneously. The barn door will be closed...right on the horses' departing derriers.

And IIRC, this is the first thing Windows will do upon connecting to the internet.

In other words, quite possibly too late.

They also mention IIS.... does home version even ship with IIS???

No, but worms don't know that. I guess the upside is that there's at least one recorded attack in the sample that this particular installation wasn't vulnerable to.

The SANS Institute Internet Storm Center tracks "Internet Survival Time". Currently it's 23 minutes. That means an out-of-the-box Windows PC, connected unprotected to a live Internet connection, has on average 23 minutes before being pwnd. That might be long enough to finish your most critical bits of Windows Update business, except that's an average, so half the time you have LESS than 23 minutes before pwnage.

Take-away from this: Ma and Pa hooking up their brand-spanking new HP or Dell or emachines will become the proud owners of a zombot within minutes of connection, unless they're extraordinarily lucky or very well advised (for instance "buy a hardware router/firewall and use it" or "run all the security patches on this CD-R before going online").

And speaking of "well advised" and SANS Institute, read "Windows XP: Surviving the First Day". (WARNING: PDF) There's some good stuff in there. The SANS guys (and gals) are the Good Guys (and Gals).

You're reading too much into individual components of my post, and not taking them as a whole. I'll answer your questions in turn. For one, how does someone backtrack to the original host? By gaining control of the next hop, one at a time, essentially. You know that your box got owned by 10.20.30.1, so you counter-hack it. Once in, you look around, and see who connects to it. More importantly, you see who is connected to it while it connects to your box. (This is detailed in a number of the articles linked in the Schneier article I referenced in my original post as the method used.) Rinse, repeat, until you are on a box where the person connecting to the next hop in the chain isn't on an SSH shell, but is local. This is an oversimplified explanation, but is quite technically accurate; the means employed can range from leveraging the tools placed there already by the hacker to using your own. You could also conceivably enlist the assistance of the organizations that own all the hacked boxes, but this would be a nightmare to accomplish, and since the person investigating Titan Rain has been confirmed to essentially be breaking the law by hacking, I'm sure this wasn't how he did it.

And no, I'm not saying that just because it's not a Windows box spouting spam or whatnot, but is instead a unix-flavored system doing very specific things, it's the Chinese. I'm saying that because it's a unix-flavored box at the end of a long train of hacked proxies (keep in mind that without the backtracking, the assumed culprit would have been South Korea in most cases, everyone) where the only person logged in doing naughty things to us is there locally, in a country whose military was the very first to espouse information warfare as a legitimate method in current times...well, that's a much clearer picture. I think you get the idea. To counter, let me point out that the argument has been, up to this point, "It can't be China, because lots of Chinese boxes get owned, and it could just be a bot owned by someone else." That's an argument for skepticism and closer investigation, not a logically sound way to say that the entire population of the world's largest country is impossible of being capable of hacking. And when you look at WHAT is being hacked, and what information is being stolen, then you can see the shopping list that is being used, which is typical of an organized intelligence-gathering organization.

meh. screwed up the post. no coffee yet this morning.
exploit code

Gadi Evron's post on Bugtraq

  Third party fix.

See if you are vulnerable.

In other news, according to SANS, there is publicly available exploit code out there for the new setSlice bug. According to Gadi Evron's post, "there's a rootkit, some malware, and haxdor". There's a third party (easily reversable) fix , and a way to test if your browser is vulnerable here.

Look for more information on the ISC Web site. Bottom line is this is not an OS issue, rather a "firmware/driver" issue.

Gee. Wonder why it's not written for the techie/slashdot crowd. Huh. Oh yeah, it's The Washington Post. It has to be understandable to people who aren't complete geeks.

According to a writeup at the SANS Internet Storm Center, the message generated by the virus reads: "What is love? Sending her 999 roses knowing she doesn't love him. What is waste? Sending her 999 roses know she loves him." That SANS advisory also notes that 3 (count 'em THREE) proof of concept exploits have been published for this vulnerability.

Well seeing how many squids there are in the world (every major restaurant has them) I would say that at least thier avaiablity is doing well (if not confidentiality and integrity also). Oh and to the OP, also check out the internet storm center (part of sans). http://isc.sans.org/ and maybe some vendor blogs. F-Secure keeps one I like to read every once in a while.

When I said critical I meant vulnerabilities that could cause the server to be compromised. IIS6 had never had any.

Now lets analyze your last post...

"How about a buffer overflow exploit? Doies that count?
http://lists.grok.org.uk/pipermail/full-disclosure /2005-April/033445.html"

Sorry, but that one does count because it's not real.

"How about this long list as compiled by a Microsoft MVP?
http://msmvps.com/blogs/bernard/archive/2004/06/10 /7882.aspx"

That list counts every vulnerability in Win2k3 since it was released, and is not relevant. IE/Media PLayer/Flash/SMB vulnerabilities cannot be exploited via IIS6.

"How about these honorable mentions as well?
http://www.aqtronix.com/Advisories/AQ-2003-02.txt (unannounced by Microsoft)
http://isc.sans.org/diary.php?date=2005-10-11
http://www.securityfocus.com/bid/9409"

Hmm. The first is a IIS5 vulnerability. Try reading past the first line next time.

The second one is not an IIS6 or IIS5 vulnerability. Not sure WTF you posted that for.

The third one is an Exchange Vulnerability. Exchange != IIS6

"Lets also not forget that....several vulnerabilities to underlying systems and Dlls caused IIS6 to be vulnerable as well."

Just because some dll or binary is vulnerable in Windows does not necessarily mean it can be exploited via IIS. You are grasping for straws here.

So lets sum your glorious rebuttal to my claim that IIS6 has had no critical vulnerabilities.

* You've posted a fake (Here's your sign!) vulnerability.
* You've posted a list of all of the vulnerabilities in Win2k3, and insinuated that they all can be exploited via IIS6
* You've posted two vulnerabilities that had nothing to do with any version of IIS, and one IIS5 vulnerability.
* You repeatedly brought up IIS5, when in fact I never brought up IIS5 and was specifically talking about IIS6.

Faster? Perhaps, but by who's measure? I've never seen a useful (yes, Microsoft's don't count as useful) Apache/IIS performance comparison.

More secure? Why do you think that? IIS6 has never had a critical vulnerability discovered for it. In the same time frame you can't say that for Apache 1.x and 2.x.

User Access Controls

SANS Top 20 (worth reading)

Windows Server 2003 Security Guide

Overview of the Windows 2003 Server

You can migrate some of the administrative tools under Windows 2003 SMB server over to XP. But I'm under the assumption you're looking at things from a server perspective. As for firewalls, etc., you have to define if you want a true firewall as opposed to relying on Windows' shabby firewall. If so then I suggest you take a look at Juniper's Netscreen Elite 5X if you're a small business. I mention this instead of Checkpoint or others since I have used many and my best recommendation would be the Netscreen. This comes via way of having to migrate a slew of Checkpoint's along with Rainwall for management to Netscreen. Things were so shoddy with Checkpoint's IPSO, even Checkpoint wouldn't support the financial institute I was doing work for. This forced us to rethink our tools and after months worth of tiger team testing, we went with Juniper.

The link is to www.securemac.com. Feedback on both Versiontracker and MacUpdate suggests that the SecureMac application is at best, useless and at worst, dangerous.

Fair enough - I'm not familiar with their product, but with the first three pages of Google searches essentially just regurgitating press releases from the company I'm more than willing to accept that the only source touting this software is the company itself.

The hacked discussion board seems to be missing from their links now. :P

Alas, the dynamic nature of the web strikes again. :-) Although I suppose that's actually "A Good Thing" if the discussion board was compromised.

I still want to know why I should treat the SANS Institute as an authoritative source, given that I know nothing about them, can find out next to nothing about them, and I find some of their data questionable.

I'll add to that the number of self-proclaimed 'internet security experts' is legion, with most of them having their own agendas.

Hehe, totally agree about the legions of 'experts' out there. :-) And I think that actually makes it difficult to "prove" that the ISC writeups are worth listening to. If you google for handler Jim Clausing, you'll see that he's been in IT admin and security for over 20 years, but of course there's plenty of counterexamples of people who've spent decades in the computer industry without having a clue. George Bakos, another handler, is the senior security expert at Dartmouth College's Institute for Security, but people can hold academic posts without having practical, real-world experience. Lenny Zeltser is the Information Security Practice Leader at Gemini Systems and teaches a course on analyzing malicious software, but if you don't know anything about Gemini and haven't taken the course you still don't know if he's an expert or a poser. Marcus Sachs is Deputy Director of DHS's Cyber Security R&D Center, has co-authored several books on security, and spoken at Black Hat, but ... well, again, those are just positions and words, and you probably don't want to buy/read one of those books just to decide whether you might trust a web site. (There's about 40 handlers at the ISC, but I won't run through each because it still boils down to the same thing - a bogus guru can have paper/web credentials that, on the surface, look as plausible as those of a real expert.)

So I think the best I can give you is the "proof is in the pudding" approach. Read a month or two of the Handler's Diary entries. See if you believe that the articles are relevant and accurate. See if there's any major incidents that are not mentioned. (After all, if we really wanted a blog that missed major bugs while misreporting/overhyping other bugs, well, we're both already reading Slashdot. ;-) Ask yourself if this is the work of a bunch of punters, or if this is a credible source of security info. Obviously I have my opinion regarding the site, but hey, that's just me - what I find interesting and informative might well be boring and/or irrelevant to another person. (For instance, someone who deals exclusively with OS/X systems might find all the entries on Windows, Unix, Cisco, etc to effectively be "noise". Doesn't mean the articles are wrong or badly-written, just that 99% of them are going to be irrelevant.)

From this page at SANS. The link is to www.securemac.com. Feedback on both Versiontracker and MacUpdate suggests that the SecureMac application is at best, useless and at worst, dangerous. The hacked discussion board seems to be missing from their links now. :P

I still think the actual quote is extreme and alarmist, considering we are comparing a fixed vulnerability with thousands of known exploits. I am still unaware of a single remote exploit against OS X.

Anyway, this is going off the subject a bit. I still want to know why I should treat the SANS Institute as an authoritative source, given that I know nothing about them, can find out next to nothing about them, and I find some of their data questionable.

I'll add to that the number of self-proclaimed 'internet security experts' is legion, with most of them having their own agendas.

What really started me wondering was the story they had a while ago about "Mac OS security reputation in tatters" or words to that effect. They had absolutely no supporting evidence, and a grand total of two links to outside sources. One of them was a site known for trying to hawk bogus spyware scanners for OS X, and the other was a Mac security discussion board that had been hacked!

Okay, that was from their Spring 2006 Top 20 Vulnerabilities press release. The actual quote regarding Mac OS/X was:

Rapid growth in critical vulnerabilities being discovered in Mac OS/X including a zero-day vulnerability (OS/X still remains safer than Windows, but its reputation for offering a bullet-proof alternative to Windows is in tatters.)

For context, this press release came out around the time of Apple's Security Update 2006-001, which included fixes for multiple remote execution exploits in multiple applications. Between Apple's own info and the Handler's Diary regarding the patches, I wouldn't exactly say that the writeup had "no supporting evidence".

Keep in mind that SANS wasn't impugning Apple's overall security, just the fan-boy attitude that Macs are somehow bullet-proof. If you read the Handler's Diary regularly you'd see similar slapdowns for fan-boys of all stripes - Linux, Firefox, whatever. Nothing is magically secure, and it's hubris to believe otherwise. In late Feb/early March, it just happened to be Apple's turn to face up to some serious security bugs. (Me, I've been running various flavors of Linux since the SLS days - I've long accepted the fact that my favorite OS and its applications are far from perfect. ;-)

I might also note that the same SANS press release devoted space to multiple slams against Microsoft products, ongoing vulnerabilities in Firefox and Mozilla, and critical bugs in database and backup tools. These just happened to be some of the top bugs for that particular time period - it's not like Apple or OS/X makes a regular appearance in the SANS Top 20 lists or in the ISC Handler's Diary.

I couldn't identify any links in the SANS or ISC writeups that pointed to bogus spyware scanners or hacked Mac discussion boards - maybe you can point those out to me. (I might've missed something, but all I could see were links to Apple, iDefense, and SecureSec.)

What really started me wondering was the story they had a while ago about "Mac OS security reputation in tatters" or words to that effect. They had absolutely no supporting evidence, and a grand total of two links to outside sources. One of them was a site known for trying to hawk bogus spyware scanners for OS X, and the other was a Mac security discussion board that had been hacked!

Okay, that was from their Spring 2006 Top 20 Vulnerabilities press release. The actual quote regarding Mac OS/X was:

Rapid growth in critical vulnerabilities being discovered in Mac OS/X including a zero-day vulnerability (OS/X still remains safer than Windows, but its reputation for offering a bullet-proof alternative to Windows is in tatters.)

For context, this press release came out around the time of Apple's Security Update 2006-001, which included fixes for multiple remote execution exploits in multiple applications. Between Apple's own info and the Handler's Diary regarding the patches, I wouldn't exactly say that the writeup had "no supporting evidence".

Keep in mind that SANS wasn't impugning Apple's overall security, just the fan-boy attitude that Macs are somehow bullet-proof. If you read the Handler's Diary regularly you'd see similar slapdowns for fan-boys of all stripes - Linux, Firefox, whatever. Nothing is magically secure, and it's hubris to believe otherwise. In late Feb/early March, it just happened to be Apple's turn to face up to some serious security bugs. (Me, I've been running various flavors of Linux since the SLS days - I've long accepted the fact that my favorite OS and its applications are far from perfect. ;-)

I might also note that the same SANS press release devoted space to multiple slams against Microsoft products, ongoing vulnerabilities in Firefox and Mozilla, and critical bugs in database and backup tools. These just happened to be some of the top bugs for that particular time period - it's not like Apple or OS/X makes a regular appearance in the SANS Top 20 lists or in the ISC Handler's Diary.

I couldn't identify any links in the SANS or ISC writeups that pointed to bogus spyware scanners or hacked Mac discussion boards - maybe you can point those out to me. (I might've missed something, but all I could see were links to Apple, iDefense, and SecureSec.)

I have to ask this, just who is SANS, anyway? We get tons of alarmist reports from them, but nobody ever checks the source. [...] Does anyone have any more information?

The story comes from a SANS ISC Handler's Diary entry from a few days ago. The Handler's Diary is basically a security blog maintained by the volunteers manning the ISC (Internet Storm Center), and the content varies from day to day. It may contain information about new exploits, workarounds, upcoming patches, requests for data on unusual/suspicious network activity, detailed analysis of malware distribution techniques, etc. Or on slower days it might contain random tidbits on something that a handler found curious/interesting, reminders about good security practice, a compendium of links to various tools that a handler has found useful, etc.

The Handler's Diary is part of my "morning coffee reading" sites. I've been reading it for years, and wouldn't say it's alarmist. I'll note, however, that /. submissions occasionally overinflate or misinterpret articles. Purely hypothetical example might be a simple article that basically says "hmmmm, curious how there's a flurry of new hurricane-relief-related domain registrations, especially given the large number of fraud sites that popped up within 24 hours of Katrina...btw, have you talked with your (l)users lately about fraudulent sites and being careful with their donations?", which somehow on /. becomes "article shows how to predict what forms future malware will take".

For a more interesting/useful example of what the Handler's Diary can sometimes offer up, there's gems like Tom Liston's "Follow the Bouncing Malware" articles:

• Part I
• Part II
• Part III
• Part IV
• ...
• Part IX

I have to ask this, just who is SANS, anyway? We get tons of alarmist reports from them, but nobody ever checks the source. [...] Does anyone have any more information?

The story comes from a SANS ISC Handler's Diary entry from a few days ago. The Handler's Diary is basically a security blog maintained by the volunteers manning the ISC (Internet Storm Center), and the content varies from day to day. It may contain information about new exploits, workarounds, upcoming patches, requests for data on unusual/suspicious network activity, detailed analysis of malware distribution techniques, etc. Or on slower days it might contain random tidbits on something that a handler found curious/interesting, reminders about good security practice, a compendium of links to various tools that a handler has found useful, etc.

The Handler's Diary is part of my "morning coffee reading" sites. I've been reading it for years, and wouldn't say it's alarmist. I'll note, however, that /. submissions occasionally overinflate or misinterpret articles. Purely hypothetical example might be a simple article that basically says "hmmmm, curious how there's a flurry of new hurricane-relief-related domain registrations, especially given the large number of fraud sites that popped up within 24 hours of Katrina...btw, have you talked with your (l)users lately about fraudulent sites and being careful with their donations?", which somehow on /. becomes "article shows how to predict what forms future malware will take".

For a more interesting/useful example of what the Handler's Diary can sometimes offer up, there's gems like Tom Liston's "Follow the Bouncing Malware" articles:

• Part I
• Part II
• Part III
• Part IV
• ...
• Part IX

I have to ask this, just who is SANS, anyway? We get tons of alarmist reports from them, but nobody ever checks the source. [...] Does anyone have any more information?

The story comes from a SANS ISC Handler's Diary entry from a few days ago. The Handler's Diary is basically a security blog maintained by the volunteers manning the ISC (Internet Storm Center), and the content varies from day to day. It may contain information about new exploits, workarounds, upcoming patches, requests for data on unusual/suspicious network activity, detailed analysis of malware distribution techniques, etc. Or on slower days it might contain random tidbits on something that a handler found curious/interesting, reminders about good security practice, a compendium of links to various tools that a handler has found useful, etc.

The Handler's Diary is part of my "morning coffee reading" sites. I've been reading it for years, and wouldn't say it's alarmist. I'll note, however, that /. submissions occasionally overinflate or misinterpret articles. Purely hypothetical example might be a simple article that basically says "hmmmm, curious how there's a flurry of new hurricane-relief-related domain registrations, especially given the large number of fraud sites that popped up within 24 hours of Katrina...btw, have you talked with your (l)users lately about fraudulent sites and being careful with their donations?", which somehow on /. becomes "article shows how to predict what forms future malware will take".

For a more interesting/useful example of what the Handler's Diary can sometimes offer up, there's gems like Tom Liston's "Follow the Bouncing Malware" articles:

• Part I
• Part II
• Part III
• Part IV
• ...
• Part IX

I have to ask this, just who is SANS, anyway? We get tons of alarmist reports from them, but nobody ever checks the source. [...] Does anyone have any more information?

The story comes from a SANS ISC Handler's Diary entry from a few days ago. The Handler's Diary is basically a security blog maintained by the volunteers manning the ISC (Internet Storm Center), and the content varies from day to day. It may contain information about new exploits, workarounds, upcoming patches, requests for data on unusual/suspicious network activity, detailed analysis of malware distribution techniques, etc. Or on slower days it might contain random tidbits on something that a handler found curious/interesting, reminders about good security practice, a compendium of links to various tools that a handler has found useful, etc.

The Handler's Diary is part of my "morning coffee reading" sites. I've been reading it for years, and wouldn't say it's alarmist. I'll note, however, that /. submissions occasionally overinflate or misinterpret articles. Purely hypothetical example might be a simple article that basically says "hmmmm, curious how there's a flurry of new hurricane-relief-related domain registrations, especially given the large number of fraud sites that popped up within 24 hours of Katrina...btw, have you talked with your (l)users lately about fraudulent sites and being careful with their donations?", which somehow on /. becomes "article shows how to predict what forms future malware will take".

For a more interesting/useful example of what the Handler's Diary can sometimes offer up, there's gems like Tom Liston's "Follow the Bouncing Malware" articles:

• Part I
• Part II
• Part III
• Part IV
• ...
• Part IX

I have to ask this, just who is SANS, anyway? We get tons of alarmist reports from them, but nobody ever checks the source. [...] Does anyone have any more information?

The story comes from a SANS ISC Handler's Diary entry from a few days ago. The Handler's Diary is basically a security blog maintained by the volunteers manning the ISC (Internet Storm Center), and the content varies from day to day. It may contain information about new exploits, workarounds, upcoming patches, requests for data on unusual/suspicious network activity, detailed analysis of malware distribution techniques, etc. Or on slower days it might contain random tidbits on something that a handler found curious/interesting, reminders about good security practice, a compendium of links to various tools that a handler has found useful, etc.

The Handler's Diary is part of my "morning coffee reading" sites. I've been reading it for years, and wouldn't say it's alarmist. I'll note, however, that /. submissions occasionally overinflate or misinterpret articles. Purely hypothetical example might be a simple article that basically says "hmmmm, curious how there's a flurry of new hurricane-relief-related domain registrations, especially given the large number of fraud sites that popped up within 24 hours of Katrina...btw, have you talked with your (l)users lately about fraudulent sites and being careful with their donations?", which somehow on /. becomes "article shows how to predict what forms future malware will take".

For a more interesting/useful example of what the Handler's Diary can sometimes offer up, there's gems like Tom Liston's "Follow the Bouncing Malware" articles:

• Part I
• Part II
• Part III
• Part IV
• ...
• Part IX

I have to ask this, just who is SANS, anyway? We get tons of alarmist reports from them, but nobody ever checks the source. [...] Does anyone have any more information?

The story comes from a SANS ISC Handler's Diary entry from a few days ago. The Handler's Diary is basically a security blog maintained by the volunteers manning the ISC (Internet Storm Center), and the content varies from day to day. It may contain information about new exploits, workarounds, upcoming patches, requests for data on unusual/suspicious network activity, detailed analysis of malware distribution techniques, etc. Or on slower days it might contain random tidbits on something that a handler found curious/interesting, reminders about good security practice, a compendium of links to various tools that a handler has found useful, etc.

The Handler's Diary is part of my "morning coffee reading" sites. I've been reading it for years, and wouldn't say it's alarmist. I'll note, however, that /. submissions occasionally overinflate or misinterpret articles. Purely hypothetical example might be a simple article that basically says "hmmmm, curious how there's a flurry of new hurricane-relief-related domain registrations, especially given the large number of fraud sites that popped up within 24 hours of Katrina...btw, have you talked with your (l)users lately about fraudulent sites and being careful with their donations?", which somehow on /. becomes "article shows how to predict what forms future malware will take".

For a more interesting/useful example of what the Handler's Diary can sometimes offer up, there's gems like Tom Liston's "Follow the Bouncing Malware" articles:

• Part I
• Part II
• Part III
• Part IV
• ...
• Part IX

I have to ask this, just who is SANS, anyway? We get tons of alarmist reports from them, but nobody ever checks the source. [...] Does anyone have any more information?

The story comes from a SANS ISC Handler's Diary entry from a few days ago. The Handler's Diary is basically a security blog maintained by the volunteers manning the ISC (Internet Storm Center), and the content varies from day to day. It may contain information about new exploits, workarounds, upcoming patches, requests for data on unusual/suspicious network activity, detailed analysis of malware distribution techniques, etc. Or on slower days it might contain random tidbits on something that a handler found curious/interesting, reminders about good security practice, a compendium of links to various tools that a handler has found useful, etc.

The Handler's Diary is part of my "morning coffee reading" sites. I've been reading it for years, and wouldn't say it's alarmist. I'll note, however, that /. submissions occasionally overinflate or misinterpret articles. Purely hypothetical example might be a simple article that basically says "hmmmm, curious how there's a flurry of new hurricane-relief-related domain registrations, especially given the large number of fraud sites that popped up within 24 hours of Katrina...btw, have you talked with your (l)users lately about fraudulent sites and being careful with their donations?", which somehow on /. becomes "article shows how to predict what forms future malware will take".

For a more interesting/useful example of what the Handler's Diary can sometimes offer up, there's gems like Tom Liston's "Follow the Bouncing Malware" articles:

• Part I
• Part II
• Part III
• Part IV
• ...
• Part IX

I have to ask this, just who is SANS, anyway? We get tons of alarmist reports from them, but nobody ever checks the source. [...] Does anyone have any more information?

The story comes from a SANS ISC Handler's Diary entry from a few days ago. The Handler's Diary is basically a security blog maintained by the volunteers manning the ISC (Internet Storm Center), and the content varies from day to day. It may contain information about new exploits, workarounds, upcoming patches, requests for data on unusual/suspicious network activity, detailed analysis of malware distribution techniques, etc. Or on slower days it might contain random tidbits on something that a handler found curious/interesting, reminders about good security practice, a compendium of links to various tools that a handler has found useful, etc.

The Handler's Diary is part of my "morning coffee reading" sites. I've been reading it for years, and wouldn't say it's alarmist. I'll note, however, that /. submissions occasionally overinflate or misinterpret articles. Purely hypothetical example might be a simple article that basically says "hmmmm, curious how there's a flurry of new hurricane-relief-related domain registrations, especially given the large number of fraud sites that popped up within 24 hours of Katrina...btw, have you talked with your (l)users lately about fraudulent sites and being careful with their donations?", which somehow on /. becomes "article shows how to predict what forms future malware will take".

For a more interesting/useful example of what the Handler's Diary can sometimes offer up, there's gems like Tom Liston's "Follow the Bouncing Malware" articles:

• Part I
• Part II
• Part III
• Part IV
• ...
• Part IX

• Network-based Firewalls
• Network-based Anti-Virus
• Network-based IPS/IDS
• Network-based Anti-SPAM
• Host-based Firewalls
• Host-based Anti-Virus
• Host-based IPS/IDS
• Host-based Anti-SPAM
• Patch Management
• Vulnerability and Application Assesment
• VPN (IPSEC and/or SSL-based)
• Authentication (LDAP, Radius, 2-Factor, etc...)
• Anti-SPAM
• Event Management
• Logging Servers
• Content Filtering
• Wireless Security

Security experts already know PHP is the beginner's choice. See:

http://www.sans.org/top20/#c3 (Top 20 Vulnerabilities)

"There has not been a single week during the last year that a problem was not reported in some software using PHP."

Why do you say this? I had the ramen worm way back when. Do you think the virus authors just stopped after writing one? I get ssh login attempts all the time on my box, do you think they just want to get on and run hack?

And don't give me nonsense about not running as root. If you aren't running an IDS like tripwire, then its game over. Once a user account gets hacked, then can modify PATH, install a keylogger, wait for you to login and type su.

"Black Eye" Links:

McAfee update exterminates Excel
http://news.com.com/2100-1002_3-6048709.html

McAfee 4715 DAT False Positive Deletion Reports Follow-up
http://isc.sans.org/diary.php?storyid=1184)

Several:
Any SSL accelerator can do it , given the private key.
An example is the Radware CT100/Appaccel, but most load balancing companies have this capability.
SSLDump is an OSS app that does the same thing.
If you have an in-line device, you can break any session, and proxy the connection both ways. Some Examples:
SCIP
Finjan
Blue Coat
Breach Security also provides an SSL Inspection plugin and appliance that is OEMed by various IDS vendors.
A Google search for SSL Proxy traffic Monitor returns a number of interesting responses. If you can proxy the service, you can do transparent man in the middle attacks on it.
Full Disclosure: I have worked for both Radware and Breach security on these products, and did a SANS tooltalk on the topic (login required).

The Internet Storm Center is saying that the database was not stolen. They've got a link to Blue's official response, but their website is down. Slashdot or spammers? ;-)

The Internet Storm Center is saying that the database was not stolen. They've got a link to Blue's official response, but their website is down. Slashdot or spammers? ;-)

The bigger threats here might be more related to crossover cases, either on the device or the worm itself. The recent Linux/Windows proof of concept is an example of the latter, though in its infancy. For the former though, there is at least one case where a Windows glitch can be exploited in both PCs and mobile devices. SANS story While not common yet, the power of available devices will grow, and costs will decrease. Of course, reasonable policies can help in general; start with trusting nothing, and then make exceptions as needed. The IT folks where I work do have wireless access points set up in the office, but with all available security enabled. Even then, those users are still firewalled off from most of the network. That said, I must say I like my little Palm Treo 650, though I haven't been tempted by Bluetooth yet.

I recall reading an article on the ISC website asking folks if they knew the inner working of Oracle's (many, many) patches. It seems as if this vendor as well hides in innermost details of the bugs their patches fix too. It takes many levels of registration, subscription, etc. to get one of their update e-mail newsletters outlining the patches. But even then the details are a bit sketchy. Perhaps this practice isn't just limited to Microsoft. But since Microsoft is perceived as the big bully on the block this makes better fodder.

SANS offers a number of its track (including the "Incidents Handling" track which is close to CEH) as self study with GIAC certifciation. You either can do plain "self study" where you get the books, or they offer an "@Home" program where you attend classes online.

t's important for enterprises to be aware of such issues and implement anti-virus tools for protecting non-Windows operating systems if they haven't done so already, Ullrich said.

So is that the real intention of the entire article? The original report is at viruslist.com, which is again a Kaspersky owned site. So take a guess...

Also, at the end of the story on SANS they have put up an update saying that the virus will have to run as r00t to be able to do any real damage. Kinda like most proof of concept virii developed for *nix in the past isn't it?

That having said, being a hacker (ethical or not) is IMHO more a state of mind and an attitude than plain knowledge of tools and techniques. Those of the attendees who did not dig into the topic before attending the course will not turn into expert hackers by knowing the tools and tricks and by passing an exam but it surely is quite good for pen testing. Yes, the pen tester ideally should be as sophisticated as the attacker but I have seen pen testers (for very respected companies like KPMG) who were no hackers at all and all they knew was what they have learned from their hacker colleagues on the job.

In our Sec504 class is only one lady who by the way seems to be Muslim (she wears a veil). Cyber terrorists anyone? Of course I do not want to suggest that she might be an extremist with bad intentions, but still - it makes me wonder. I mean, remember the 9/11 terrorists who learned how to fly a plane in the states? Are you sure that there is not the next generation of cyber terrorists educated (Al'quaeda could probably well afford the price tag for those courses) .

Having just attended a SANS class (one week, tons of fun, learned a boatload), I would highly recommend them. Not everything there is available on the web (well, sort of, but the stories from the storm center certainly aren't). The course I took was taught by Ed Skoudis, easily one of the best lecturers I have even seen. At the end, yes, we got to play capture the flag.

???
You posted a correction to say that the Windows default with SP1 is "secure"
???

Try running nessus or even nmap against it.
Try referring to NSA guidelines for securing a windows 2003 server environment.
http://www.nsa.gov/snac/downloads_win2003.cfm?Menu ID=scg10.3.1.1

Or read some of the SANS whitepapers:
http://www.sans.org/rr/whitepapers/windows/

Windows machines can be hardened to a degree, but never as much as it's possible to harden linux or bsd's because they can be streamlined much much more by tossing out all of the unused components and modifying the components you do use to be slightly nonstandard and less succeptible to known attack vectors.

It's always a good idea to try and reduce your attack surface as much as possible, but what you're suggesting shouldn't be the primary concern.

The browser isn't the reason why malware gets installed onto your machine, it's the means by which is gets there. The actual reason why is that people who should know better keep using an administrative account on Windows.

Does the fact that I use IE make me more vulnerable than you because you use FireFox? The knee-jerk Slashdot opinion would be "omg! you suck!", but in reality I might actually be better off than you are since I never log on with an administrative account which means that despite all the gaping holes in IE 99.9% of malware simply won't be able to install itself because it assumes it'll have full access to the system (http://isc.sans.org//diary.php?storyid=1221 - Installs itself under the windows directory).

If I decide to visit some dubious site, I can right click on IE, "Run As" and pick the "Protect etc" option and it won't even have access to any part of the file system or the registry. Sure, it's a hassle, but it's an option that even Firefox lacks (or at least the last time I checked, Firefox wouldn't run under the restricted permission set since it assumes it'll always have write access to certain directories).

Despite my tone this isn't actually a rant against Firefox or a claim that IE is perfectly safe, but the bottom line is that security starts from the bottom up and your choice of browser is one of the last things that'll make much of a difference.

Program X might have a better track record than program Y but the odds are that sooner or later it will have an exploitable vulnerability and unless you planned and prepared for that by making sure the impact will be low to zero you're only kidding yourself as far as security is concerned.

This is a little like the WMF flaw that became known just after Christmas. Eventually MS had to provide an out-of-cycle patch (even if it was just a few days early) because of the bad press they were getting. From the looks of things, the patch for this one will be ready soon too.. so any kind of noise you can make to get an early release would be a Good Thing.

Yeah yeah, MS will get a lot of flak from Slashdotters on this, but you should bear in mind that they also provide some decent patching tools like WSUS for administrators to roll these things out. Personally, I never use IE on my Windows box, but I'm afraid it's still a fact of life in most large businesses.

SANS, a well-respected hands-on security training organization, has several courses on application-level security - Securing Oracle, Web Application Security Workshop, Secure Internet Presence LAMP, and .Net Security among them. These are aimed at programmers, not testers, but would be beneficial to anyone doing code audits and blackbox testing of applications.

Not quite what you asked for, but maybe something you'll want to look into.

SANS, a well-respected hands-on security training organization, has several courses on application-level security - Securing Oracle, Web Application Security Workshop, Secure Internet Presence LAMP, and .Net Security among them. These are aimed at programmers, not testers, but would be beneficial to anyone doing code audits and blackbox testing of applications.

Not quite what you asked for, but maybe something you'll want to look into.

According to the Sun security advisory related to this (thanks SANS Internet Storm Center), Solaris 8 isn't vulnerable, although it comes with Sendmail 8.11.x or 8.12.x (depending on your patch frequency)--versions in the vulnerable range.

I've been a Solaris admin for a long time and I find this to be a rather bizarre inconsistency. Why would Sun claim non-vulnerability when mere cursory examination of installed release shows vulnerability?

Any /.ers with more insight into Sun's reasoning out here? If so, can you share it?

Since you're talking about career choices, you might want to approach the topic from the broader sense - not just Network Security but Information Security.

InfoSec is a broad, fascinating field. And as with the field of medicine in the early 1800's, everyone is an expert, but no-one really knows enough.

There seem to be six main "practitioner" fields, right now:

          1) Documentation (certification and compliance)
          2) Network / Systems Administration
          3) Legal and Physical Protection
          4) Management of all the above
          5) Countermeasure Device Development and
          6) Training.

By "Countermeasure Device Development" here I mean such things as writing / building programs (or appliances) to simply "improve the situation". This currently includes developing such things as Firewalls, Intrusion Detection Systems, Vulnerability Analysis systems, Systems Hardening software, etc. That field is open-ended.

At first glance, this sounds like what you're thinking about. As to programming skills - don't worry. If you love a thing enough you'll do it a lot. If you love a thing a lot and do it a lot you'll get quite good at it (One suggestion, though - the best way to debug code? Don't put bugs in when you write the code in the first place - makes debugging infinitely easier).

If writing such software is what you're thinking about - talk with folks who have already done it. Find a way to talk with Marty Roesch (who wrote Snort), Renaud Derraison (who wrote Nessus), Ron Gula (who wrote the Dragon firewall) - you get the picture. People capable of writing such devices are in a very small, select group - and they're very good people.

As other people here have said, take a look at the ten areas of knowledge that the CISSP certification considers (Certified Information Systems Security Professional - go to http://www.isc2.org./ That will give you a broad overview of the technical side of the field.

Do also look at the GIAC (Global Information Assurance Certification) program that SANS encourages (http://www.sans.org./ As I understand it, both the CISSP and the GIAC certs each have both breadth and depth, but the CISSP is primarily interested in breadth with a reduced depth, whereas the GIAC selects a narrower subset and drills more deeply into that.

To thrive in the field - to even enjoy the field - you'll need both breadth and depth.

And speaking of breadth, do also read Kevin Mitnick's book "The Art of Deception." This is about the part of InfoSec that's the toughest to solve computationally - the human element. In my opinion his solutions listed in that book to the problems of social engineering don't go deep enough, but _nobody_ understands social engineering as well as he does.

In fact, speaking of the human element, do also take a look at the CPP (Certified Protection Professional) certification from ASIS International (http://www.asisonline.org./ This certification deals not only with how to use computers to find the bad guys, but what to do once you've found them. Interesting.

InfoSec - it can be frustrating; it can be fun. Enjoy!