Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Security Warnings

Posted by CmdrTaco on from the we-have-a-code-yellow-people-this-is-not-a-drill-omg-freak-out dept.

Juha-Matti Laurio writes "Internet Storm Center's Diary reported today: Due to a number of very well working Windows exploits for this weeks patch set, and the zero-day Veritas exploit, we decided to turn the Infocon to yellow. The following Internet Threat Level meters are at level 2/4 because of Windows Plug and Play vulnerability's several exploit codes too: Symantec ThreatCon as a part of global DeepSight Threat Management System saying Increased alertness and Internet Security Systems X-Force with Increased vigilance at AlertCon."

13 of 296 comments (clear)

  1. It hate to say it... by confusion · · Score: 5, Funny

    But it's been a while since we've had a good/effective worm.

    Jerry
    http://www.cyvin.org/

    1. Re:It hate to say it... by ciroknight · · Score: 5, Interesting

      No drugs here, but then again, my argument does make sense; Security left in the hands of Microsoft is security that should be questioned.

      I mean just look at the terrificly terrible job they've done with the Xbox, or the bang up job they've done to date with patching well known security issues in Windows. Their attempts at security seem half-assed at best, as most of the more critical bugs are found by companies outside of Microsoft, and as Microsoft acquires more of these companies, I doubt if their advisories will ever make it out the front door.

      Thus, I believe when Vista comes out, there will be a million new exploits, just as were delivered with Windows XP when it came out. And as most of these exploits will be retroactive (as the NT platform is known for carrying bugs for years without them being detectable), WinXP and 2000 will be at risk as well. It's only an opinion, but it's a well thought out one. At this point it's all speculation.

      --
      "Victory means exit strategy, and it's important for the President to explain to us what the exit strategy is." G.W.Bush
  2. Another color-code system? by green+pizza · · Score: 5, Interesting

    Seems to me these color coded systems do more to confuse than they do good. Should I relax if we're at green? Should I be paranoid if we're at Red? Should I even care since I run UN*X rather than Windows? Every day there are at least a few new sploits. Every few weeks there's a sploit that affects me as a sysadmin and requires my attention to preserve the security of my servers and internet-attached LAN. Given this I still don't understand the value in these color coded alert systems. Yellow? What does that mean? Wake up an extra hour early to read the logs? The terrorists can attack just as easily if we're at green than if we are at red. I'm uncertain of the value in the announcements at the airport every 15 minutes to remind me that we're at yellow or orange.

    1. Re:Another color-code system? by briancurtin · · Score: 5, Funny

      threatcon? infocon? alertcon? "hey bob are you going to be at the meetingcon about threatcon at infocon in room z-force? theres an x-force alertcon for the internetcon."

      --
      My UID is a palindrome, that must be good for some type of prize.
  3. Windows Threat Assessment by joelparker · · Score: 5, Funny
    It would be cool to have a little app that reports the current Windows threat level.

    The app could download data automatically using IE and ActiveX, format the data using an Excel Macro, then email results to me using Outlook.

    Because I care about security.

  4. Color for security level is great by Unsus · · Score: 5, Funny

    On related news, the US puts it's security level color at pink. Again, on related news, Bobby's mom chooses to wear an orange shirt. No need to actually read the security threat -- we have colors for that.

  5. Netcraft Confirms It. by bmo · · Score: 5, Informative

    Windows is dying.

    Well, it's deathly ill, mostly. The average Windows end user is in a never ending battle against the baddies. They buy their systems at the Best Buy, bring them home, run for a couple of months, and then complain that they can't login.

    Then they call me, or someone like me. With disdain, I inform them that I'm wicked busy but I'll do it "this time".

    When I get my grubby hands on their machines, they're fubar. It's not for lack of trying either, because there are multiple Virus, Trojan, and Firewall apps, all fighting over the same machine, including the odd fake anti-trojanwares. You know the one's I'm talking about. We've all seen them. "Click here for a FREE security scan!" and then the machine gets YET another bit of evil.

    I simply don't know what to do anymore. I clean them up, set up security, knowing - just KNOWING that it's all in vain. Just yesterday, I got an "e-postcard" in the mail, and it was just an overt attempt at infection. There wasn't anything that would trip an AV or firewall in the mail, just an obfuscated link that actually pointed at a crypically named .exe. I know far too many people who are e-card addicts, and I am SURE they would have clicked.

    Toast. Totally goddamn toast. The fact that Windows programs have their execute bit as part of the filename is probably the worst thing ever to happen to an OS. One click, and yet another "svchost.exe" process. No lube, no kiss, no reach-around, just total PC anal rape.

    And without a total redesign of Windows or dumping the platform for Apple or Linux, Joe and Josephine User are SOL. Vista is going to be more of the same, as it's going to be simply XP SP3 with more chrome.

    Ah well.

    If anyone knows anything about a0190313376667.gif.exe, mail me at my alias AT Entropy dawt TMOK dawt com. There's hardly anything on the 'net about it except some German blogs.

    --
    BMO

    1. Re:Netcraft Confirms It. by bmo · · Score: 5, Informative

      I think you misunderstand....

      I am _not_ a professional admin who has a network of machines to maintain or easy access to the machines I fix or the authority to command people to do as I want. I'm "the guy that fixes stuff" for his friends/enemies.

      Go 'round every couple of months requesting that everyone send me their machines for updating the OS? Are you out of your mind? Ghost? Are you out of your mind? These are all individual machines, not something cookie-cutter that I could administer in a sane way.

      Yes, I would love to standardize all these machines with the same Windows distribution. I would love to partition the drives so that the OS resides on a separate partition from the user data, and yet another partition for the extra installed programs. That would be sane. But that would mean I would have to furnish boxed copies of XP at the retail price myself, to be sold to the "customers" so I can do it up right.

      "But I have Windows! Why do I have to buy another?"

      Things were so much simpler when PCs came with full OS licenses and a full set of disks. Now, the only choice is to either manually disinfect for HOURS without disturbing too much of the installation, or format and use the "recovery" cd, and the user is fucked for whatever was on the machine if it was never backed up.

      It's fucking maddening is what it is.

      The day that Microsoft stopped the likes of Dell and HP from furnishing OEM CDs spelled doom for the customer who wanted to have a multiple partition setup. Now if you want that, you need a purchase a full Windows kit that costs 200 bux for XP Home.

      --
      BMO

  6. Re:Yellow is pretty rare.. by Anonymous Coward · · Score: 5, Funny
    There has never been a Red alert level.

    Red alert sould be used at each Windows release.
  7. Re:Yellow is pretty rare.. by lamj · · Score: 5, Informative

    One happy customer :-)

    You are correct. We want the infocon to stay at green most of the time and only raise it when necessary. Think about this, if we keep it at yellow all the time, it would eventually lower people's perception of the current threat. Trust me, we do try very hard to only raise it when necessary and appropriately.

    Disclaimer: I am one of the ISC guys.

  8. All Hands To Battlestations... by CoyoteGuy · · Score: 5, Funny

    Data: Captain.. Sensors are picking up localized pockets of Upnp activity in subspace transmissions.

    Picard: Geordi, can we triangulate the originating source?

    Geordi: Yes sir, it's coming from a planetary system 15 light years from our present location. Long range sensors indicate it is...

    Picard: Yes, I know... Microsoft...

    Picard: All hands, yellow alert. Data, set a course for the source of the transmissions. All hands, to battlestations. Worf, put us to red alert upon enterting the system. We don't want another Code Red Incident. And send out a subspace communication to the Federation, all ships, all systems.. We have engaged Microsoft..

    Worf: Yes Captain.

    Picard: Data, we did test our monthly Microsoft patches on the first Tuesday of the month, correct.

    Data: Negative Captain. Unfortunately, there were exploits in the wild which take advantage of the weaknesses in the Upnp service installed on the ship's computer, and the Federation threat level was raised, so we did not test them.

    Picard: Damn Microsoft. Alright, let's be careful. We don't know yet what we're dealing with. Maximum Warp! Engage!

    --
    Slashdot.. Land of nerds, trolls, and FlameBait..
  9. Hey Guys.. by CoyoteGuy · · Score: 5, Funny

    I think the threat level was raised to blue...

    But what does this mean?

    STOP: 0x0000000A (00000595 00000002 00000000 8010da41)
    IRQL_NOT_LESS_OR_EQUAL

    --
    Slashdot.. Land of nerds, trolls, and FlameBait..
  10. Re: 40 mothers agree: Cleaning Windows is a PITA by homesteader · · Score: 5, Informative

    More often than not these days, the real tough buggers have randomly generated process names. Here's how I clean a machine:

    Tools required:

    Process Explorer(procexp) from http://www.sysinternals.com/
    autoruns.exe from the same, or hijackthis.exe from http://www.merijn.org/
    Any good virus scanner(McAfee's Enterprise scanner is decent. Use a simple scanner if possible, not a scanner/firewall/spam filter/personal servant. It will be generally be faster and simpler.
    Ad-Aware from http://www.lavasoft.de/
    LSPFix from http://www.cexx.org/lspfix.htm/
    Updated Stinger from McAfee http://vil.nai.com/vil/stinger/
    Experience enough to know valid windows processes and files.

    Have all of this on a USB drive or CD. Will probably fit on a 64mb drive, unless your virus package is bulky.

    Boot to safe mode

    Start Task Manager or Proc Explorer and kill anything that doesn't look good, or everything that you know isn't part of windows. You could go to Control Panels:Admin Tools:Services and stop all services first, this will narrow the field.

    Run Stinger, just let it scan memory and running apps. Don't wait for it to do a full system scan.

    Run Ad-Aware, do the same. Just trying to ditch bad things that are actually running.

    If you've gotten this far in 15 minutes, the machine probably isn't in too bad of shape. Dump all temp files, c:\temp, c:\winnt(windows)\temp, c:\documents and settings\username\local settings\temp, c:\documents and settings\username\local settings\temporary internet items

    Update virus definitions and do a full scan. Latest SuperDAT from McAfee or Definitions from Symantec or whoever you use, should also be put on the USB drive or CD.

    So, virus scan didn't deal with it, or couldn't stop/remove it? This is where it gets tricky and completely manual. This is the point where most people give up, since you really need to know what should be where in Win2k/XP/2k3. I'm really not thinking of 95/98/Me, if those are hosed just wipe it clean and move to XP home for $99-199

    Run HiJackthis and look for gremlins. This tool really requires an eye for what is supposed to be there, but pay special attention to startup objects and BHOs(Browser Helper Objects aka evil Internet Explorer plugins)

    Add/Remove programs. Go through it with the client. Anything they don't recognize, or know they don't need, ditch. This can be risky, since people forget, but compared to a reinstall . . .

    Now for the real manual part . . .

    Run lspfix and check for foreign entries. There are normally 2-4 LSP's present. I usually only do this if there are persistent network failures.

    Check Hosts file at c:\winnt(windows)\system32\drivers\etc\hosts There really should only be one entry in here, for 127.0.0.1 localhost. You may have already checked this with hijackthis

    Browse to c:\winnt(windows). Sort by date. On a default install, the file modify dates are going to be a long time ago. If you see anything from within the last few months, get suspicious. Ignore log/text files, but don't ignore those without an extension. Do the same for c:\winnt(windows)\system32 This can be a bit trickier, there are way more files in system32 than winnt(windows), but the same rule generally applies. Anything from the last 3-6 months is suspicious.

    Do the same for c:\program files Delete any empty folders that your previous uninstall didn't remove. You should have an idea what is supposed to be here, after doing Add/Remove programs, so hack and slash the folders that you don't think belong.

    In one of these deleting sprees you are sure to find something bad that won't let itself be deleted, usually a .dll that is registered and can't be removed. Never fear! Write down the .d