Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-04-04 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

People - Greatest Asset and Biggest Vulnerability

Published: 2006-04-04
Last Updated: 2006-04-04 23:34:36 UTC
by John Bambenek (Version: 1)
0 comment(s)
In an increasingly technological world it is easy to forget that social engineering attacks will always be bigger and more damaging than the latest 0-days.  The best hacks are the ones that have significant "people" components.  That's why it is surprising that both Microsoft and SecurityFocus seem taken aback by a relatively unknown piece of spyware being so successfully deployed using social engineering.  It is well-known that most intrusions are insider (aka people) attacks. In the days before Outlook flaws, e-mail viruses had to trick users into running attachments.  There will always be an occasional vulnerability that will have the security people scrambling, but there will always be users who run things they shouldn't be running.

The idea that the unsophisticated consumer will be able to protect their information is not one that is valid in the light of the amount of accounts that are compromised.  Phishing is a great example.  There would be little to no phishing if people couldn't be tricked into ponying up their information.

There are two ways to solve this problem and both are required.  The first is security education which will help but won't solve the problem.  Consumers have more on their minds than to dedicate their entire time to learning system hardening.  They need to take some basic steps like patching, anti-virus, and anti-spyware but that won't be enough. The other component is finding ways to do business that take into account that consumer PCs are not trustworthy for data that shouldn't be for public consumption.  Ways must be devised to treat the PC (much like the Internet in general is treated) as a hostile medium for information and protect the data accordingly.

--
John Bambenek // bambenek -at - gmail -dot- com
University of Illinois
Keywords:
0 comment(s)

NetworkSolutions Down Again - Not a DoS Attack

Published: 2006-04-04
Last Updated: 2006-04-04 21:26:33 UTC
by John Bambenek (Version: 1)
0 comment(s)
This morning from about 8am-10am eastern Network Solutions services were unavailable again.  At the time of this writing they still haven't come "fully" up.  They explained the interruption as being caused by a "global outage" from their colocation provider.  They did not explain the nature of that outage.  In theory, things should start to work again over time. (Note: This is a different outage than yesterday allegedly).

Update: (12:05pm CDT) A Lesson in Business Continuity Planning

While I think the explanation is somewhat lacking on what happened at NetSol, there is one thing that jumps out at me.  Why is the failure of one vendor enough to cause all of NetSol to come crashing down?  You could argue that you rely on your vendors to have redundancy but sometimes the vendor itself can be a single point of failure.  In this case, it looks like the vendor's entire enterprise crumbled and took NetSol with it.  Even the most technologically robust firms can be brought to a halt by a labor strike (for instance).  The moral of the story is that if the stakes are high enough having redundant vendors can be a smart play.

Update (4:15pm CDT) Don't Believe Everything you Read on the Internet

Contrary to reports circulating on the Internet, this outage was not the result of a DoS attack.  I have spoken via email with one of the NetSol engineers and while I can't say what it is, I can say it wasn't an attack.


Keywords:
0 comment(s)

QWest Problems

Published: 2006-04-04
Last Updated: 2006-04-04 18:35:05 UTC
by John Bambenek (Version: 1)
0 comment(s)
We've gotten several reports of QWest outages, particularly in the Pacific Northwest region of the United States.  QWest hasn't reported anything but people have sent in failing traceroutes and I can no longer get to them from where I am at.  It appears to be unreleated to the NetSol problems, but sites in that region of the US will be experiencing intermittent problems.  More as I get it.

Update 1:34 CDT:

It appears AOL Instant Messenger is having intermittent problems, possibly connected to this, though I have no firm insights into it.
Keywords:
0 comment(s)

NetworkSolutions down

Published: 2006-04-04
Last Updated: 2006-04-04 14:27:17 UTC
by Tom Liston (Version: 1)
0 comment(s)
We've received and confirmed reports that NetworkSolutions is down (@ 13:15 UTC).  While networksolutions.com resolves, their website appears to be down.

According to several emails I've received, they should probably be using Ce1abrex and purchasing ALL of their p4armacutica1s from Canada.

Note: If you're going to write in to tell us you can't resolve a domain, please tell us WHAT domain.

Note 2: We'll post more information when we find out what's going on...

Update (14:25 UTC): They're baaaaaaaaaaaaaaaack.... We still have no information on what went south.  If we find out, we'll let you know.

Keywords:
0 comment(s)

A Nonsensical Proposal - Beta Patches

Published: 2006-04-04
Last Updated: 2006-04-04 02:09:11 UTC
by Tom Liston (Version: 1)
0 comment(s)

"A little nonsense now and then, is cherished by the wisest men."
                                                                            -[W|B]illy Wonka

The Oompah Loompahs are, once again, hard at work, cooking up a fresh new batch of Everlasting Hack-Stoppers (i.e. IE Patches) in Billy Wonka's Redmond Chocolate factory.

Good for them.

These fresh, new Everlasting Hack-Stoppers are aimed at fixing two unpatched vulnerabilities in Wonka's World-wide Web Browser (i.e. IE).  Just like back in January, exploits are a'circulatin' while we wait for the Oompah Loompahs to complete their tasks.

"So much time, and so little to do! Strike that, reverse it."
                                                                            -[W|B]illy Wonka

I, personally, have a whole lot of respect for the Oompah Loompas and for the tasks that Billy Wonka has placed before them-- but let's get serious.  Microsoft has been slinging Windows code for around a decade and a half now, and we still find ourselves waiting weeks for the other shoe to drop while security patches are tested and translated into every modern language and Latin (Quidquid latine dictum, altum videtur.)

The problem is: every admin worth his salt will be re-testing that same patch once it's released.  And that, my dear friends, means that even when the patch is released, the corporate world will still be waiting.

"We are the music makers, and we are the dreamers of dreams"
                                                                             -[W|B]illy Wonka

Why should there be even more delay before the actual application of patches with public exploits-- by several additional days beyond their release date?  Why should the Oompah Loompahs get all of the patch-testing fun?

I, a dreamer of dreams, have a modest proposal for Mr. Wonka.  Release your Everlasting Hack-Stoppers twice.  When there are public exploits in circulation, release un-supported beta patches as early as possible.  Let the end users have a crack at testing them CONCURRENTLY with your Oompah Loompahs.  You can put all kinds of onerous click-through "WE ARE NOT RESPONSIBLE" verbiage on them, and let 'em rip.  You could even create a return pathway for the testing public to send reports back to Redmond.  That would give your testing program a wider range of real-world experience than all the Oompah Loompahs in Redmond could provide. Finally, when the Oompah Loompahs are through testing, release 'em for real.

With two sets of zero-day IE flaws hitting thus far in 2006, don't you think the current state of the patch cycle is worth a little dreaming?

Finally, before I bid you my fond farewell as Handler of the Day, I'll pull out my Nostradamus beanie and leave you with a prediction: Crpk wep xpdw apvk, up uohh fpp v svtck OP fpqgkowa offgp qvgfpi na wep gxqcgjhoxl cz VqworpD qcip igp wc wep Pchvf jvwpxw.

Good night, Mrs. Calabash-- wherever you are.



Tom Liston - Intelguardians

Keywords:
0 comment(s)

Apple Firms Up Their Firmware

Published: 2006-04-04
Last Updated: 2006-04-04 00:49:32 UTC
by Tom Liston (Version: 2)
0 comment(s)

Steve and the gang out in Cupertino have made Mac OS X v10.4.6 and Mac OS X Server v10.4.6 available for your fruity OS-updatin' pleasure. Aside from providing some general system improvements, they also deliver a fix for a security issue whereby MacIntel (Inteltosh?) boxes could have their firmware password bypassed, essentially giving anyone with physical access to the box the ability to drop to "Single User Mode" and run amok. (More details here.)

Update links and checksums (you *do* confirm checksums before patching, now don't you?):

Go here. (http://www.apple.com/support/downloads/)

For Mac OS X v10.4.5 (PowerPC)
The download file is named: "MacOSXUpd10.4.6PPC.dmg"
Its SHA-1 digest is: b65564786f9e15d6bdac2ea3eed1294e5fd8f122

For Mac OS X v10.4 through Mac OS X v10.4.4 (PowerPC)
The download file is named: "MacOSXUpdCombo10.4.6PPC.dmg"
Its SHA-1 digest is: c9fde5a23bcebd08149301b7ad300881a563c398

For Mac OS X v10.4.5 (Intel)
The download file is named: "MacOSXUpd10.4.6Intel.dmg"
Its SHA-1 digest is: a0d26811f55c8a3accac0f0237355431d0ca3938

For Mac OS X v10.4.4 (Intel)
The download file is named: "MacOSXUpdCombo10.4.6Intel.dmg"
Its SHA-1 digest is: 487dfcb211911c97f9862872a70b72eb4486d724

For Mac OS X Server v10.4.5
The download file is named: "MacOSXServerUpdate10.4.6.dmg"
Its SHA-1 digest is: 17b92d74ebe0a499fee5189b6d1074d5d5f72b15

For Mac OS X Server v10.4 through Mac OS X Server v10.4.5
The download file is named: "MacOSXSrvrUpdCombo10.4.6.dmg"
Its SHA-1 digest is: 746fe2b304f8bfb6a5f84ff0e08edd32722a8cb9

Or, you can be a big old wimp and just use the Software Update pane in System Preferences... (thanks Swa, for pointing that out!)

Update: Here is an article from Apple that explains how to use the new firmware boot protection.

Keywords:
0 comment(s)
Diary Archives