sans.org · Domains · Slashdot Mirror

Update on the Update by Hulkster · 2005-04-08 05:28 · Score: 5, Informative · on DNS Cache Poisoning Update

That SAN's report actually came out yesterday, the 7th, probably when the article was submitted ... and ISC uses UTC time for their postings. There's an update the next day (today as I write this) where ISC returns the status to Green because they understand the DNS Poisoning problem and have recommendations for people to protect themselves - although it's still an issue.

Ironically, that same update describes Comcast's nationwide problems that started last night (US Time) and says it was caused by an equipment upgrade and not related to the DNS Cache poisoning. BUT, the problem was not network connectivity, but the DHCP's DNS Servers became unavailable. Read more at DSLReports and (from first hand experience), the work-around was fairly easy which was to manually specify the DNS server, rather than use the DHCP'd one. Comcast says it was resolved about two hours ago - scroll down to the bottom of the page.

Re:SANS vs. the rest of the security community. by McSpew · 2005-04-07 03:45 · Score: 1 · on DNS Cache Poisoning Spreads Malware

You probably would have been better off sending your findings to handlers@sans.org

I did. They responded by posting that Win2k SP3+ was supposedly immune but that people with that configuration were reporting the poisoning.

Today's ISC update from SANS indicates they're closing in on the root cause. Apparently, MS DNS servers implicitly trust servers to which they forward. BIND 4 and BIND 8 don't scrub poisoning information when they respond to a forwarding server. DJBDNS and BIND 9 do scrub the data.

Re:Hello SP2, Good-Bye Firewall, Hello Zombies? by Fez · 2005-04-06 11:51 · Score: 1 · on Ready or Not, Here Comes Service Pack 2

See the SANS "Survival Time" data - It's currently at 21 minutes, but it has been 15 minutes in the past.

Re:SANS vs. the rest of the security community. by jdion · 2005-04-06 06:13 · Score: 1 · on DNS Cache Poisoning Spreads Malware

I have been discussing this topic with a couple collegues, and the last time we recalled the SANS security level raised to Yellow was right before each major worm release... i.e.: Blaster, Sasser Worm, etc...

http://isc.sans.org/infocon.php

Just food for thought.

Followup paperwork too time consuming... by sakshale · 2005-04-05 03:21 · Score: 1 · on GIAC/SANS Certification Changes?

I took the SANS security boot camp when they first started. I found it valuable and very well done. A solid week of good, well presented, stuff that you won't find anywhere else.

However, even though I passed all the exams needed for GIAC certification, the follow on requirement to submit papers simply did not fit my work schedule. As the only system administrator for a small startup, I simply did not have time to write papers. So, the requirement they appear to be dropping was the requirement that blocked my certification.

Writing a good paper takes time and focus. Something that working system administrators often find short in supply.

Re:I'm calling Bullshit by Lars+T. · 2005-03-26 10:11 · Score: 1 · on Large Prize Offered For Writing Mac Virus

By poisoning DNS they can take over the domain of a "good" web site. Just a very recent example. Or how about the Google 302 redirect?

What about the user? by PxM · 2005-03-26 06:44 · Score: 2, Interesting · on Large Prize Offered For Writing Mac Virus

Since the majority of viruses, spyware, and other crap are due to user inaction, this isn't really a fair metric about the overall security. However, it is good to compare against the Windows survival time which is measured in minutes. This does show that Apple has its default security setup as "paranoid with multiple tin foil hats) compared to Windows XP's default setup. A more interesting test would compare how hard it is to get spyware onto a user's computer via the default webbrowser since that seems to be the primary vector these days. However, this is problematic since it's heavily dependent on user stupidity.

--
Want a free iPod?
Or try a free Nintendo DS, GC, PS2, Xbox. (you only need 4 referrals)
Wired article as proof

Survival time real world measure of security by Oriumpor · 2005-03-26 04:37 · Score: 1 · on Microsoft Silently Backs Favorable Presentation at RSA

What the hell difference is it in a lab environment if my system is more secure than yours if there's no measure of real world elements? Dropping a couple hundred boxes on the net and plotting out the time it takes for their security to be subverted would be a good measure of the OS security.

Multiple bandwidth tests (56k-1.5mbdsl) trying to update the OS. Utilizing vendor (Dell/HP/Gateway) XP installs/Linux installs (not fully patched, but patched a *little*) In combination with hardened installations in similar configurations. You could more than likely run a hardened setup with autoupdates on Windows/Linux side by side without a successful attack the length of the survey.

Oh I don't know, something like: this

Re:how do you know? by blackest_k · 2005-03-22 05:00 · Score: 1 · on UK Officially The Most Hacked Country

http://isc.sans.org/diary.php?date=2004-10-11

a few hints to identify whats going on in a particular system.

Re:Are these BotNets responsible by nolife · 2005-03-15 03:28 · Score: 3, Interesting · on Observing Botnets with Honeynets

Maybe I have been lucky but I see less then 5 attempts to my port 22 a day. I only allow accounts with existing keys (no password auth) and only from a few source ip addresses access but I can still see all of the attempts that fail. You can always see the trends by port and attack by browsing the internet storm center. See how you compare to the averages or you can look up specific port related issues from the other links on that page.

No mention of Helix by Anonymous Coward · 2005-02-01 18:42 · Score: 0 · on 18 Live Linux CDs -- In A Row

http://www.e-fense.com/helix/Helix is a forensics LiveCD, comes with a bunch of great apps, and as their web-site says, http://www.sans.org/ SANS uses their liveCD for their forensics training. Pretty cool if you ask me.

Re:MyWorm by Doc+Ruby · 2005-01-27 12:42 · Score: 1 · on Worm Hits Windows Machines Running MySQL

As you point out, this attack exploits weak passwords in MySQL - a social engineering attack, irrelevant to the source code. But the patch question I raised,

"And what happens when different people release incompatible patches? Is a worm a good way to force a fork in an OSS project, making it less competitive?"

is still valid in general. Sometimes it takes a while for the "official" distributor of the software to issue a patch. In the meantime, many of us with the source of a vulnerable OSS program will patch the hole ourselves. And distribute the patch, at first to our friends, but then into general circulation. If we distribute the SW we patched, and it's under GPL, we're obligated to distribute the patch. So multiple patches, from different sources, can be available, and even necessary when the official vendor doesn't release one faster, leaving our systems vulnerable. Especially if we examine the "alternate" patches ourselves before installing, using them can be teh safest alternative. But now the source has forked. So this is a "social engineering" DoS opportunity to attack the official app project: exploit enough bugs too quickly for the official project to issue patches quickly enough to meet demand, and people will write their own, forking the project. If that happens enough, and a full patchset remains unavailable from the official project, the source might remain forked.

This scenario seems unlikely, though possible, and is hypothetical until it is actually encountered. But it is a vulnerability that OSS projects have that proprietary ones don't, relying on the usually advantageous property of open "patchability". I won't be surprised to see it actually happen someday. Especially when some valuable, resourceful proprietary apps get lethally threatened by competing OSS apps. So, just like any other security scenario, it's worth considering in advance. So when it does happen, at least the attackers won't have the element of surprise totally on their side.

SSL? by bendelo · 2005-01-20 01:51 · Score: 1 · on 'Evil Twin' Threat to Wireless Security

I imagine an SSL man-in-the-middle attack could also be quite effective (assuming their browser hasn't already seen the 'bank.com' certificate to know its changed.

Follow the Bouncing Malware! by Cef · 2005-01-05 14:02 · Score: 5, Informative · on "Spam King" Agrees to Stop Spamming For Now

The Internet Storm Centre's "Follow the Bouncing Malware" diary entries (written by Tom Liston) covers passthison.com (which belongs to Spamford). Quite a good read.

Following the Bouncing Malware: Part I
http://isc.sans.org/diary.php?date=2004-07-23

Following the Bouncing Malware: Part II
http://isc.sans.org/diary.php?date=2004-08-23

Following the Bouncing Malware: Part III
http://isc.sans.org/diary.php?date=2004-11-04

Following the Bouncing Malware: Part IV
http://isc.sans.org/diary.php?date=2004-11-24

Follow the Bouncing Malware! by Cef · 2005-01-05 14:02 · Score: 5, Informative · on "Spam King" Agrees to Stop Spamming For Now

The Internet Storm Centre's "Follow the Bouncing Malware" diary entries (written by Tom Liston) covers passthison.com (which belongs to Spamford). Quite a good read.

Following the Bouncing Malware: Part I
http://isc.sans.org/diary.php?date=2004-07-23

Following the Bouncing Malware: Part II
http://isc.sans.org/diary.php?date=2004-08-23

Following the Bouncing Malware: Part III
http://isc.sans.org/diary.php?date=2004-11-04

Following the Bouncing Malware: Part IV
http://isc.sans.org/diary.php?date=2004-11-24

Follow the Bouncing Malware! by Cef · 2005-01-05 14:02 · Score: 5, Informative · on "Spam King" Agrees to Stop Spamming For Now

The Internet Storm Centre's "Follow the Bouncing Malware" diary entries (written by Tom Liston) covers passthison.com (which belongs to Spamford). Quite a good read.

Following the Bouncing Malware: Part I
http://isc.sans.org/diary.php?date=2004-07-23

Following the Bouncing Malware: Part II
http://isc.sans.org/diary.php?date=2004-08-23

Following the Bouncing Malware: Part III
http://isc.sans.org/diary.php?date=2004-11-04

Following the Bouncing Malware: Part IV
http://isc.sans.org/diary.php?date=2004-11-24

Follow the Bouncing Malware! by Cef · 2005-01-05 14:02 · Score: 5, Informative · on "Spam King" Agrees to Stop Spamming For Now

The Internet Storm Centre's "Follow the Bouncing Malware" diary entries (written by Tom Liston) covers passthison.com (which belongs to Spamford). Quite a good read.

Following the Bouncing Malware: Part I
http://isc.sans.org/diary.php?date=2004-07-23

Following the Bouncing Malware: Part II
http://isc.sans.org/diary.php?date=2004-08-23

Following the Bouncing Malware: Part III
http://isc.sans.org/diary.php?date=2004-11-04

Following the Bouncing Malware: Part IV
http://isc.sans.org/diary.php?date=2004-11-24

Dshield disagrees by JustinXB · 2004-12-21 10:31 · Score: 3, Insightful · on Net Worm Uses Google to Spread

See here

Note: we earlier reported that it takes advantage of a php vulnerability. This does not seem to be the case.

Who are you going to believe: Some news site or a security community?

snort signatures by UnderAttack · 2004-12-21 10:26 · Score: 3, Informative · on Net Worm Uses Google to Spread

The ISC posted a couple of snort sigs and other details.

From the article (I actually read it this time) by 31415926535897 · 2004-12-20 06:13 · Score: 2, Informative · on Flaw in Google's New Desktop Tool [Update: Fixed!]

"An attack would require a user to visit the attacker's Web site first, and any type of Web browser could make a user vulnerable."

It seems like most non-email Internet attacks require you to visit an attacker's website before the payload can be delivered (there are some good articles about this at ISC). I would tend to think that unpatched browsers (<cough>IE<cough>) would still cause more problems that this.

Don't misunderstand me, though; I am not trying to excuse Google from the flaw, but the good news is that it's already fixed, and I'm sure the scum of the Internet are going to focus on these other (exciting, money-making) opportunities.

PS. I know Seth Fogarty, does that give me some sort of karma bonus ;-)

Hard numbers: 18 minute survival tme by Anonymous Coward · 2004-12-17 16:02 · Score: 0 · on Microsoft May Charge for Security Tools

It's not just anecdotal evidence. SANS has hard numbers of average the "survival time" before you're attacked. Currently it's 18 minutes.

Put an unpatched windows machine unprotected on the Internet and you are toast.

Re:No way by IchBinEinPenguin · 2004-12-16 19:07 · Score: 2, Interesting · on Microsoft Acquires Spyware Removal Company

The fact remains that getting rid of spyware is very, very hard.

Agreed. However, installing spyware in the first place shouldn't be as ridiculously easy as it is!

The design tradeoffs between security/usability have in IE have created a wonderful inTRAnet explorer. It's great for filling in the company timesheet using some custom ActiveX applet, but it should _NEVER_ be allowed on the inTERnet.

To follow your analogy, a dune-buggy is fantastic at messing around on dunes, but you wouldn't want to be driving one on the highway.

[ shameless plug ]
See "Examination of PC security: How we got where we are and how to fix it"
[ /shameless plug ]

Re:How much to charge by Anonymous Coward · 2004-12-02 04:11 · Score: 0 · on Spyware Removal is Big Business

*rolls eyes*

It's not the Java game ITSELF that hands out the malware, its their presence on a page that also contains malware.

When a person says they have to get their Java game fix on, they're not talking about Java doing the damage - they're pointing out that these games have to RESIDE ON A PAGE SOMEWHERE. Since our open source buddys like to give stuff away, unscrupulous individuals take advantage of that, and find a way to make a profit - off the backs of a generous donation to the world community, I might add.

A "popular" example is yahoogamez (used by "Follow the Bouncing Malware" series of articles at SANS)

Here's a link to begin reading about the site, and the consequences.

Re:Another good write-up here: by Anonymous Coward · 2004-11-29 06:56 · Score: 0 · on How Much Harm Can One Web Site Do?

Here's Part 4

Forensics Distribution by Boolio · 2004-11-26 07:25 · Score: 4, Informative · on Windows Incident Forensics with Knoppix Helix

The Helix distribution is meant to serve a very specific purpose: Incident response and gathering evidence. The tools included in the distribution are excellent for both Windows and Linux incident response (i.e. penetration, compromise, etc). When inserted into a Windows machine, it provides excellent tools for gathering evidence from hardware storage and memory storage. You can also use it in two fashions for Linux incident response: 1) Immediate response (just insert the CD have access to non-compromised programs), and 2) bootable in case the target system has been shutdown (a common reaction when an admin finds a server has been compromised). Because it is based on Knoppix, it does a great job at recognizing hardware, including useful tools, etc. With the Helix distribution, and good sized USB/Firewire external harddrive, you have everything you need to gather critical evidence when a system has been compromised. I have also read the Windows Incident Recovery book. While I found it not very complete (very little discussion of the actual gathering of evidence, and discussion of evidence preservation) it did have some good Windows information. However, the best environment for analysis is Linux because of the open source nature, and the capabilities of its included toolsets. If you are interested in this area, I highly recommend the training provided by SANS (http://www.sans.org/) in their Track 8: Systems Forensics. Its expensive, but the information and tools are well worth it.

Re:Another good write-up here: by arpy · 2004-11-24 16:51 · Score: 1 · on How Much Harm Can One Web Site Do?

Part 4 is already here.

ISC SANS just analyzed www.yahoogamez.com by dapantzman · 2004-11-24 15:28 · Score: 1 · on Intentional SpyWare Infection?

Tom Listons Following the Bouncing Malware from ISC SANS has some amazing info. He did a complete analysis of www.yahoogamez.com. That site gave him some great infections.

FTBM - Part I -
http://isc.sans.org/diary.php?date=2004-07-23/
FTBM - Part II -
http://isc.sans.org/diary.php?date=2004-08-23/
FTBM - Part III -
http://isc.sans.org/diary.php?date=2004-11-04/
FTBM - PART IV -
http://isc.sans.org/diary.php?date=2004-11-24/

ISC SANS just analyzed www.yahoogamez.com by dapantzman · 2004-11-24 15:28 · Score: 1 · on Intentional SpyWare Infection?

Tom Listons Following the Bouncing Malware from ISC SANS has some amazing info. He did a complete analysis of www.yahoogamez.com. That site gave him some great infections.

FTBM - Part I -
http://isc.sans.org/diary.php?date=2004-07-23/
FTBM - Part II -
http://isc.sans.org/diary.php?date=2004-08-23/
FTBM - Part III -
http://isc.sans.org/diary.php?date=2004-11-04/
FTBM - PART IV -
http://isc.sans.org/diary.php?date=2004-11-24/

ISC SANS just analyzed www.yahoogamez.com by dapantzman · 2004-11-24 15:28 · Score: 1 · on Intentional SpyWare Infection?

Tom Listons Following the Bouncing Malware from ISC SANS has some amazing info. He did a complete analysis of www.yahoogamez.com. That site gave him some great infections.

FTBM - Part I -
http://isc.sans.org/diary.php?date=2004-07-23/
FTBM - Part II -
http://isc.sans.org/diary.php?date=2004-08-23/
FTBM - Part III -
http://isc.sans.org/diary.php?date=2004-11-04/
FTBM - PART IV -
http://isc.sans.org/diary.php?date=2004-11-24/

ISC SANS just analyzed www.yahoogamez.com by dapantzman · 2004-11-24 15:28 · Score: 1 · on Intentional SpyWare Infection?

Tom Listons Following the Bouncing Malware from ISC SANS has some amazing info. He did a complete analysis of www.yahoogamez.com. That site gave him some great infections.

FTBM - Part I -
http://isc.sans.org/diary.php?date=2004-07-23/
FTBM - Part II -
http://isc.sans.org/diary.php?date=2004-08-23/
FTBM - Part III -
http://isc.sans.org/diary.php?date=2004-11-04/
FTBM - PART IV -
http://isc.sans.org/diary.php?date=2004-11-24/

Re:not much... by deaddeng · 2004-11-24 08:24 · Score: 4, Informative · on How Much Harm Can One Web Site Do?

There are at least two other IE exploits out there that MS has not patched, and SP2 won't protect you. see: http://isc.sans.org/diary.php?date=2004-11-20 Quote: Two More IE Vulnerabilities Exploit code has been released for two more Internet Explorer vulnerabilities that were released on Wednesday (Nov. 17). This code would enable an attacker to trick users into executing malware. These vulnerabilities affect Microsoft Internet Explorer 6.0 SP2 and are not prevented by Windows XP SP2. The original advisory is here: http://secunia.com/advisories/13203/ The proof of concept exploit: http://www.k-otik.com/exploits/2041119.IESP2disclo sure.php While on the topic, it is interesting to note some statistics that Secunia has been compiling about Internet Explorer vulnerabilities: IE 5.01 - 42 advisories (7 unpatched) http://secunia.com/product/9/ IE 5.5 - 55 advisories (8 unpatched) http://secunia.com/product/10/ IE 6.0 - 69 advisories (18 unpatched) http://secunia.com/product/11/ If you still think SP2 has mystical properties: http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatch ed/

Another good write-up here: by Saint+Aardvark · 2004-11-24 06:37 · Score: 5, Informative · on How Much Harm Can One Web Site Do?

The "Follow the Bouncing Malware" series at ISC's Internet Storm Center has been quite good, too; it looks at what happened to Ordinary Joe's Windows computer when he surfs: