Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

More cable outages in the middle east

Published: 2008-02-01
Last Updated: 2008-02-01 19:35:37 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
According to news reports, a third undersea cable to the middle east got cut. The third cable cut today was less important then the other two, but it was one of the systems used as a "backup" during the last few days. On Wednesday, two cables off the coast of Egypt got cut. Today, one more off the coast of Dubai was cut. Of course, three cuts in such a short time may look suspect. But don't forget that you have "cascade failures" where backup systems go down due to overload once the primary system goes down. The cable that went down today wasn't used much in part as it was known as less reliable. These cable cuts are in particular challenging as repair times are long (weeks) and there is little extra capacity. Other technologies like Satellites do not provide the same capabilities as cables. Connectivity to and from the Middle East as well as India is severely affected. Availability and disaster recovery planning is a frequently neglected security function. Newcomers to the security field are frequntly attracted by "cool exploits". But the true professional usually knows that boring and tedious tasks like disaster recovery planning will frequently save the business in the end. Also see:
0 comment(s)

Universities in the US being targeted in a Spear Phising attack.

Published: 2008-02-01
Last Updated: 2008-02-01 15:52:21 UTC
by Mark Hofman (Version: 1)
0 comment(s)

We’ve had a few reports of Universities/Colleges being hit with some very targeted emails trying to get the userid and password of students.   The email is usually along these lines.



Dear xxxxx Email Account Owner,

This message is from xxxxx messaging center to all xxxxx email account owners. We are currently upgrading our data base and e-mail account center. We are deleting all unused xxxxx email account to create more space for new accounts.

To prevent your account from closing you will have to update it below so that we will know that it's a present used account.


 Email Username : .......... .....

EMAIL Password : ................

Date of Birth : .................

Country or Territory : ..........

 Warning!!! Account owner that refuses to update his or her account within Seven days of receiving this warning will lose his or her account permanently.

Thank you for using xxxxxx!

Warning Code:VX2G99AAJ


Xxxxx  Team


The sender will be often be xxxxxteam@isp used to send msg or uni address
The reply address will be external to the organisation.  In the sample we have (thanks John) it is  (where xxxxx is the domain name used by the institution, without the .edu). 

The message often passes through some SPAM filters due to the relatively low volume of messages.

If you have some samples we’d be interested in a copy. 

Look for messages to multiple recipients and increased volume of internal email to one specific external address.  Oh, and educate your students.


Looks like was doing the rounds in Europe around the 13th/16th of Jan, I guess APAC is next.  In Europe the targeting was ISP accounts (thanks Alexander) and others.  Margrete reports that it goes back even further, as much as 2 months.

Looking at the samples sent in,  the text basically only varies where the xxxxx are in the sample shown.  The reply addresses used so far were in and domains.  The ones submitted to us have been taken care of.


Mark H - Shearwater

0 comment(s)
Diary Archives