Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2014-04-10 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Brace Yourselves (and your Users / Clients) for Heartbleed SPAM

Published: 2014-04-10
Last Updated: 2014-04-10 14:33:18 UTC
by Rob VandenBrink (Version: 1)
1 comment(s)

I started getting emails yesterday asking me to change passwords on services I do not have accounts on - complete with helpful links - back-ended by malware and/or credential harvesting of course

Just a few minutes ago, I also received a legit email along the same lines, from a security organization.  Unfortunately, they also included links (OOPS), this time legit links, but that's still a big miss on their part.

It's worth a reminder to your user community, clients and even family if you support their machines (and bad computing habits) also. 

Helpful emails with links in them are in most cases NOT helpful.  Don't click that link!

If it's legitimate, and especially this week, by all means browse to the affected site and change your password.  That's always a good idea.  But following an email link to a password change page is a good way to get your credentials stolen, or a good way to pick up a nice "gift" of malware.

 

===============
Rob VandenBrink
Metafore

Keywords:
1 comment(s)

All things not Heartbleed

Published: 2014-04-10
Last Updated: 2014-04-10 12:47:47 UTC
by Rob VandenBrink (Version: 1)
1 comment(s)

We were talking yesterday that with the Heart Bleeds issue front and center, what about the "everything else" factor?

With everyone so focused on this one issue, coupled with the knowledge that *lots* of folks still have XP and in the all the OpenSSL excitement might not have patched.  In particular, the horde of XP machines we call ATMs would be a particularly good target this week (or any other week until they get updated really).  So please folks, let's do what we can on the OpenSSL side, but keep the needed focus on other areas too!

Mark's story yesterday on OpenSSL "check" sites makes the great point that these sites can be collecting information as well as giving you info.  Keep in mind that we expect to see some bogus sites pop up to - I'd expect to see some fake check sites distributing malware if we don't see them already

How about SSL and other site issues that aren't vulnerable to Heartbleed?

As I'm assessing client sites and products for Heartbleed, I'm taking the time to do a more complete (but still quick) assessment.  So the client gets a list of:

  • sites that have self-signed certs
  • broken cert chains
  • sites that allow a less than desireable SSL Encryption level
  • and so on, you get the idea

In short, all those SSL things that were in the last several assessment reports, but were never fixed for some reason.  Folks have the perception that "SSL is hard", so I often see admins avoid anything changing anything that affects it, even when it's called out in a security assessment report.  But this weeks focus on SSL is forcing these issues into the light of day, and allowing us to get a lot of them resolved.


===============
Rob VandenBrink
Metafore

Keywords:
1 comment(s)
Diary Archives