InfoSec News

It is not all that uncommon for a departing executive to let the company know how important he was to the company's success or to provide unsolicited advice on where the company should go after he has gone. Microsoft's Ray Ozzie is the latest executive to undertake this ritual.
 
Cyber Security Awareness Month is over and with it the SQL Slammer Clean-up Exercise. While SQL slammer is still very much present on the Internet, many unstated goals of the exercise were met. There was a bit more going on behind the scenes that I would like to now share.
Why an exercise?
Firstly, why have a CSAM exercise? Quite a bit of effort goes into the CSAM daily topics over and above the daily Incident Handler's tasks. Some thought that this exercise should have been put off until November. I wanted to have something during the month that technical, non-policy-makers could participate in. It was intended to be a Technical Track to supplement the Policy Track. Also, I wanted to experiment with a new Handler Diary format, linking together a number of articles produced while I'm not actually the Handler of the Day.
Games are great way to teach people, it gets them involved, and there are few methods that teach a skill more effectively than actually doing it. The exercise was modeled as a game. It has boundaries, a beginning and end, and a way to keep score. This particular game was co-operative (although I suppose you could consider it as Us versus Slammer,) the boundary was the Internet, it started October 1st, 2010 and ended November 1st, 2010. For the purposes of scoring, I'm using my darknet sensors and a single snort rule to determine a Slammer attack from a simple MSSQL scanner (more on scoring below.)
Why slammer?
SQL Slammer was chosen as the exercise target for a number of reasons. Although it is well-understood (http://www.sans.org/security-resources/malwarefaq/ms-sql-exploit.php,) it was chosen largely due to its ubiquity. There are very few networks that don't see these packet on their perimeter-- this meant that everyone could participate. Unlike other bot-nets and malware in recent circulation, there isn't a criminal organization behind it, so there should have been little risk for the participants.
My expectations
When I proposed this idea to the other Handlers, I was cautioned to not set my expectations too high, or make a wild claim or promise to rid the Internet of SQL Slammer in a month.
My expectation was to get perhaps 30 people or so involved and if we were really lucky and/or diligent we might get 4 to 5 of the top-talkers cleaned up.
Skills we developed/exercised
Now, for the insidious ulterior motive of the exercise. The primary intent of the exercise wasn't the eradicate SQL Slammer-- it was to get people looking at their logs again, and manually participating in the abuse reporting process. There's been too much reliance upon automated reporting, and the automated response to reports. It's just too easy to fire-and-forget with an abuse notification. Some organizations even set up XML services like ARF-feeds (Abuse Reporting Format see: http://www.shaftek.org/publications/drafts/abuse-report/) so you can have everything handled automatically. With the right infrastructure, this can be quite effective, but I think we can all agree that if a network has Slammer running loose on it, it probably lacks the infrastructure to support ARF.
I hope that the participants looked at their logs differently than they usually do, or that people who would normally quietly watch and study an event instead picked up the phone and contacted someone to get a system cleaned up.
Also, we learned a bit about what it's like when the shoe is on the other foot, when someone else is trying to contact us. Perhaps you found found something in your own WHOIS or abuse contact information that needed to be cleaned up.
At the very least, participants had to develop or exercise the contact a third party part of their incident response process. Did that run smoothly? Did the use of the spreadsheet to track the notification and response help you capture effective metrics for your process?
Finally, the results
If you pull up port 1434 on DShield it looks like the exercise did more damage than good. It started off the month with a low outlier of 165 sources and ended the month with an average or 235. the problem with the DShield data is that TCP and UDP are merged in that particular report. For scoring this exercise I'm relying on my own darknet sensors that monitor a couple of /16 netblocks. It has the advantage that I know that the monitored space and number of sensors hasn't changed in during the course of the exercise and I have full packet captures so that I can create alerts on only Slammer packets and rule out any other UDP/1434 traffic that may be present.

The Snort signature that I was using for the exercise:

alert udp any any - any 1434 (msg:W32.SQLEXP.Worm propagation content:|68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E|
content:|04|) My sensor saw a similar distribution of infected sources. October 1st saw a low of 54 IP addresses and ended the month with 79.
The question remains: did I see any of my repeat visitors go offline during the exercise?
I filtered the results down to all of the IP addresses that visited more than 10 days in October, which gave me 47 systems to plot out over the month. Nearly 13 look to have gone potentially-silent during the month. I base this on the number of systems that don't have a mark present on the last few days of the month. On the other hand there appear to be 2 that were potential new-infections. This sent me off on a focused analysis of just those two systems, the first (in Algeria) appears to be new visitor to my sensor, while the second has been a regular visitor for a long time, typically 4 to 7 visits a month.

Things I learned
Like any worthwhile exercise, I too learned a thing or three from the process. I was introduced to NFSen (http://nfsen.sourceforge.net/) and Abusix (http://abusix.org/)
One thing that I would have changed in managing the exercise is that we should have set up a role-base email address to handle the correspondence. This would have made tracking the participants of the exercise much easier and allowed me to organize and prioritize the emails more effectively.
Previous articles
Each entry was tagged for convenience and are available here: http://isc.sans.edu/tag.html?tag=slammercleanup
Cyber Security Awareness Month Activity: SQL Slammer Clean-up (http://isc.sans.edu/diary.html?storyid=9637)

SQL Slammer Clean-up: How to Report (http://isc.sans.edu/diary.html?storyid=9664)

SQL Slammer Clean-up: Reporting Upstream (http://isc.sans.edu/diary.html?storyid=9712)

SQL Slammer Clean-up: Picking up the Phone (http://isc.sans.edu/diary.html?storyid=9778)

SQL Slammer Clean-up: Switching Viewpoints (http://isc.sans.edu/diary.html?storyid=9811)

SQL Slammer Clean-up: Contacting CERTs (http://isc.sans.edu/diary.html?storyid=9841)

SQL Slammer Clean-up: Roundup and Review (http://isc.sans.edu/diary.html?storyid=9871)

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Want to clean and optimize your PC? You've probably heard of CCleaner, arguably the world's most popular tool for doing the job. Developer Piriform just released CCleaner 3.0. The big news in this update? A native 64-bit version for use with like editions of Windows.
 
Oracle VM CVE-2010-3583 Remote Command Execution Vulnerability
 
Lawyers for Oracle and SAP made their opening arguments Tuesday in the companies' TomorrowNow lawsuit, with each side giving a very different story to the jury about how damages in the case should be calculated.
 
Microsoft appears to be preparing to launch a new website called "Next" where it will share information about new technologies it and others are developing.
 
A 23-year-old California man allegedly broke into the Web mail accounts of more than 3,000 women and posted sexually explicit images of many of them on Facebook, according to police.
 
Oracle VM CVE-2010-3585 Remote Code Execution Vulnerability
 
Xpdf Multiple Integer Overflow Vulnerabilities
 
Xpdf 'Gfx::getPos()' (CVE-2010-3702) Unitialized Pointer Dereference Vulnerability
 
Intel on Tuesday said the company would begin contract manufacturing of chips, a change from the company's policy of serving only itself through its factories.
 
AirMagnet's new versions of its Wi-Fi Analyzer and Survey applications let enterprise network administrators dig deeper into a chronic problem: wireless clients that roam from one AP to another and end up with a worse connection.
 
The U.S. International Trade Commission has launched investigations related to two recent patent-infringement complaints brought to the agency, one filed by Microsoft against Motorola for its Android-based smartphones and one focused on Nintendo's Wii gaming system.
 
Oracle VM CVE-2010-3584 'ovs-agent' Local Privilege Escalation Vulnerability
 
Adobe Acrobat, Reader, and Flash CVE-2010-3654 Remote Code Execution Vulnerability
 
We have seen a couple of instances of search result poisoning for election related search terms. Right now, this is not wide spread but of course depends largely on the search terms you use.
One affected domain appears to be digicube.biz and malicious results are already blocked on Google. The malicious results use the search term as part of the URL, probably in an attempt to achieve a higher ranking (we have seen this before).
For example for the search term 2010 election results, you may get:
digicube.biz/..../news=2010-election-results (parts removed to protect our readers)
At this point, these links do not show up very high in Google's ranking for these search results. If you find more polluted search terms, please let us know. Websense published a blog post with a few more details and search terms [1].
[1] http://community.websense.com/blogs/securitylabs/archive/2010/11/01/rogue-av-rides-the-US-midterm-elections-wave.aspx
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Electronic voting appears to be going smoothly in New York City, a far cry from a month ago when problems caused widespread confusion and closed some polling places for a time.
 
The security researcher who created the Firesheep snooping tool defended his work today, saying it's no one's business what software people run on their computers.
 
Republican candidates have become far more tech-savvy in the months leading to Tuesday's election.
 
The Wi-Fi Alliance and the HomePlug Powerline Alliance plan to collaborate on applications that allow smart energy grids to interoperate with "connected" homes.
 

The New CISO: How the role has changed in 5 years
IDG News Service
Regulatory agencies are pushing towards enterprise risk management programs that encompass far more than just infosec, so my role has broadened. ...

and more »
 
Dell on Tuesday acquired a software-as-a-service integration company called Boomi as it tries to expand its cloud computing offerings.
 
Is the United states wasting its time and playing to the fears of "nativists" with its current H-1B visa policies? Some libertarians say yes--and argue that the U.S. needs to abolish H-1B restrictions.
 
Reader Tom is dealing with this major hassle:
 
This directory includes laws, regulations and industry guidelines with significant security and privacy impact and requirements. Each entry includes a link to the full text of the law or reg as well as information about what and who is covered.
 
Bob Muglia, Microsoft's Server and Tool Business chief, seemed to marginalize Silverlight at last week's Professional Developer's Conference, saying, "our strategy has shifted."
 
The U.S. Federal Trade Commission has amended a settlement order in an antitrust case against Intel by exempting a planned chipset for netbooks from requirements that they include an interface with the open standard PCI Express Bus.
 
Thirty-three contributors to the OpenOffice.org project are leaving, unhappy with what they say is Oracle's attitude toward the project's organization and management.
 
Microsoft claims its Windows Phone 7 smartphones allow users to do more in fewer steps than do rival phones.
 
Top Internet companies like Google, Facenook and Twitter are encouraging their users to vote in today's federal and state election contests.
 
Four years after its debut, the "ribbon" interface in Microsoft's Office suite still gives businesses the shudders, a research firm said today.
 
Move over, gadget teardowns. We tear down Oracle's legendary leader to see what powers the man known for big verbal stings and even bigger yachts.
 
SAP would pay Oracle $120 million for "past and future reasonable attorneys fees and costs" under the terms of a joint stipulation filed Monday in connection with the companies' ongoing intellectual-property lawsuit.
 
NewsGator will add an enterprise RSS module to its Social Sites 2010 suite, which provides a variety of enterprise social networking and collaboration capabilities to Microsoft's SharePoint 2010.
 
MIT Kerberos KDC 'kdc_authdata.c' NULL Pointer Denial Of Service Vulnerability
 
Oracle CEO Larry Ellison famously once asked, "What the hell is cloud computing?" Nonetheless, Oracle has jumped onto the cloud bandwagon, with company officials on Monday afternoon touting the concept and the products and services that accommodate it.
 
Oracle announced that it plans to buy e-commerce vendor Art Technology Group for about $1 billion. The deal is expected to be completed early next year.
 
XSS vulnerability in Kandidat CMS
 
XSS vulnerability in Kandidat CMS
 
XSS vulnerability in MemHT Portal
 
XSS vulnerability in MemHT Portal
 
People who report serious Web application flaws in YouTube and Blogger could receive a reward as much as $3,133.70.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Webmedia Explorer HTML Injection Vulnerability
 
[SECURITY] [DSA 2123-1] New NSS packages fix cryptographic weaknesses
 
Oracle announced Tuesday that it plans to buy e-commerce vendor Art Technology Group for about US$1 billion. The deal is expected to be completed early next year.
 
Thirty-three contributors to the OpenOffice.org project are leaving, unhappy with what they say is Oracle's attitude toward the project's organization and management.
 
Lookout Mobile Security will soon start selling a premium version of its smartphone security software that includes new privacy and backup and restore features.
 
Google and a reseller of its products have filed a lawsuit against the U.S. Department of the Interior after the agency solicited bids for cloud-based e-mail and messaging services specifying that bidders must use Microsoft products.
 
If you need to edit PDF documents, there are alternatives to the high-priced Adobe Acrobat. We reviewed three of those alternatives alongside Adobe's standard application.
 
If you need to edit PDF documents, there are alternatives to the high-priced Adobe Acrobat. We reviewed three of those alternatives alongside Adobe's standard application.
 
ProFTPD Multiple Remote Vulnerabilities
 
AT&T and T-Mobile will start selling Windows Phone 7 smartphones on Nov. 8, a date Microsoft recently began promoting in clever, if questionable, TV ads labeled 'Really?'
 
Iterative, collaborative software development catches on a decade after the Agile Manifesto
 
Nearly half of the IT decision makers surveyed recently by Gartner named data growth as one of their top three challenges and almost two-thirds of them plan to add capacity next year.
 
The new Open Data Center Alliance is counting on its collective $50 billion in IT spending to convince vendors to develop interoperable products and halt vendor lock-in.
 
AVG Internet Security IOCTL Local Denial of Service Vulnerability
 
Rising Antivirus 2009 IOCTL Local Denial of Service Vulnerability
 

FEITIAN Technologies Co Ltd., speaks at RSA China Conference concerning anti ...
Online PR News (press release)
FEITIAN Technologies International Technical Consultant Gregory Dunn presented the speech at the first annual RSA Chine INFOSEC international forum in ...

and more »
 
InfoSec News: Tackling Insider Fraud From The Outside-In: http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=228000516
By Robert Lemos Contributing Writer DarkReading Nov 01, 2010
IT managers spend a lot of their time dealing with malicious code and violations of corporate policy, but insider fraud in the workplace is a major problem that frequently shows up on their radar screen, as well.
In 2009, the average company lost nearly 5 percent of its revenue to fraud perpetrated by employees, according to the 2010 Report to the Nations on Occupational Fraud and Abuse (PDF). Asset fraud -- stealing company resources -- represented 90 percent of the incidents, but only averaged $135,000 in losses per company. On the other hand, financial fraud makes up only 5 percent of all cases of corporate fraud, but it is the most damaging, with a median loss of more than $4 million, according to the report, which is published every two years by the Association of Certified Fraud Examiners (ACFE).
Employees can be tempted by their privileged access to data, says Ben Knieff, director of product marketing for fraud products at Actimize. "They have a high level of access, which gives them a greater opportunity to commit fraud," he says.
The report found that 85 percent of fraud was committed by individuals with no prior records of abuse. Even so, there are a number of proactive steps that companies can take.
[...]
 
InfoSec News: President Should Have 'Kill Switch' For Internet, Most Americans Say: Forwarded from: Richard Forno <rforno (at) infowarrior.org>
In this case, the question was framed as "ZMGWHATIFTHEWORSTCASEHAPPENS" A scene from "Yes Prime Minister" demonstrates the ease in which surveys can be generated to skew results toward a given position: See: http://www.imdb. [...]
 
InfoSec News: The unvarnished truth about unsecured Wi-Fi: http://news.cnet.com/8301-27080_3-20021188-245.html
By Elinor Mills InSecurity Complex CNet News November 1, 2010
Chances are you don't leave your front door unlocked. And you shouldn't leave your Wi-Fi network unsecured either.
Many of you may have heard this before, but many still seem to not be doing anything about it. You should. Here's why. With a $50 wireless antenna and the right software a criminal hacker located outside your building as far as a mile away can capture passwords, e-mail messages, and any other data being transmitted over your network, and even decrypt data that is supposedly protected.
Someone could also join the network and launch attacks on your computer and any other devices using the network at that time. If file sharing has been left on or the personal firewall is misconfigured it's relatively easy to access the computer via an open Wi-Fi network. Someone could upload an executable program to a file on your hard drive that steals data or just leaves a back door for future access. And if you are using the network to connect to a corporate network through a VPN (virtual private network) an attacker can get into the corporate system too.
"The most dangerous thing is a direct attack," Don Bailey, a security consultant at iSec Partners who is also an expert on telecommunications snooping, told CNET. "The threat is not only that your traffic can be sniffed, but that an attacker can get access to all your data and connections on your computer, even those supposedly secured by SSL (Secure Sockets Layer) and TLS (Transport Layer Security) encryption."
[...]
 
InfoSec News: [Dataloss Weekly Summary] Week of Sunday, October 24, 2010: ========================================================================
Open Security Foundation - DataLossDB Weekly Summary Week of Sunday, October 24, 2010
10 Incidents Added.
======================================================================== [...]
 
InfoSec News: ATM Fraud: Skimming is #1 Threat: http://www.bankinfosecurity.com/articles.php?art_id=3053
By Linda McGlasson Managing Editor Bank Info Security November 1, 2010
Will 2011 be "The Year of the Skimmer?"
After an uptick in skimming incidents already in 2010, security experts say that we will see even more skimming in the United States in the months ahead, particularly against ATMs. Lingering magnetic-stripe technology, rather than EMV chip standard used in Europe and elsewhere, is to blame, experts say.
While the average ATM skimming attack spans a timeframe of between one and two hours, losses per incident average $30,000, according to ADT Security Solutions, which provides anti-skimming solutions for the financial industry. ADT also estimates that ATM skimming attacks cost financial institutions and their customers 10 times more than losses suffered during robberies. According to ACI Worldwide's Card Fraud Guide, overall card fraud continues to escalate. ACI's report shows U.S. credit and debit card losses continue to increase. In 2004, credit card losses accounted for $1.8 billion and rose to $2.04 billion in 2007. Debit card losses accounted for $810 million in 2004 and rose to $1.05 billion in 2007.
Tom Wills, a fraud analyst at Javelin Strategy & Research, says criminals responsible for the skimming at ATMs and POS devices have been caught this year, but their arrests are no deterrent. "2010 has been a good year for law enforcement," he says. "But as long as there are vulnerable devices out there, the bad guys will continue to target and attack them."
[...]
5B
 

Posted by InfoSec News on Nov 01

http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=228000516

By Robert Lemos
Contributing Writer
DarkReading
Nov 01, 2010

IT managers spend a lot of their time dealing with malicious code and
violations of corporate policy, but insider fraud in the workplace is a
major problem that frequently shows up on their radar screen, as well.

In 2009, the average company lost nearly 5 percent of its revenue to
fraud...
 

Posted by InfoSec News on Nov 01

Forwarded from: Richard Forno <rforno (at) infowarrior.org>

In this case, the question was framed as "ZMGWHATIFTHEWORSTCASEHAPPENS"
-- so of course you'll get a lot of folks responding from a position of
extreme fear and not rational analysis. It all comes down to how you
phrase the question.

A scene from "Yes Prime Minister" demonstrates the ease in which surveys
can be generated to skew results toward a given...
 

Posted by InfoSec News on Nov 01

http://news.cnet.com/8301-27080_3-20021188-245.html

By Elinor Mills
InSecurity Complex
CNet News
November 1, 2010

Chances are you don't leave your front door unlocked. And you shouldn't
leave your Wi-Fi network unsecured either.

Many of you may have heard this before, but many still seem to not be
doing anything about it. You should. Here's why. With a $50 wireless
antenna and the right software a criminal hacker located outside your...
 

Posted by InfoSec News on Nov 01

========================================================================

Open Security Foundation - DataLossDB Weekly Summary
Week of Sunday, October 24, 2010

10 Incidents Added.

========================================================================

DataLossDB is a research project aimed at documenting known and reported
data loss incidents world-wide. The Open Security Foundation asks for
contributions of new incidents and new data for...
 

Posted by InfoSec News on Nov 01

http://www.bankinfosecurity.com/articles.php?art_id=3053

By Linda McGlasson
Managing Editor
Bank Info Security
November 1, 2010

Will 2011 be "The Year of the Skimmer?"

After an uptick in skimming incidents already in 2010, security experts
say that we will see even more skimming in the United States in the
months ahead, particularly against ATMs. Lingering magnetic-stripe
technology, rather than EMV chip standard used in Europe...
 


Internet Storm Center Infocon Status