Alerts

ISC StormCast for Tuesday, July 1st 2014 http://isc.sans.edu/podcastdetail.html?id=4045, (Tue, Jul 1st)

Latest Alerts - Mon, 06/30/2014 - 17:18
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Apple Releases Patches for All Products, (Tue, Jul 1st)

Latest Alerts - Mon, 06/30/2014 - 17:04

Apple today released patches for most (all?) of its operating systems. For more details from Apple, see http://support.apple.com/kb/ht1222.

- OS X has been updated to 10.9.4 (Security Update 2014-003). The security update is also available for older versions of OS X.
- Safari has been updated to 6.1.5 and 7.0.5
- iOS has been updated to 7.1.2
- Apple TV has been updated to 6.2.

The largest common source of patches for all of these products is WebKit. The updates should be applied in a timely manner. There is no indication at this point about active exploits. The iOS update also patches a problem that would allow an attacker to bypass activation lock, as well as an lock screen bypass that has been demoed publicly a couple weeks ago.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Should I setup a Honeypot? [SANSFIRE], (Mon, Jun 30th)

Latest Alerts - Mon, 06/30/2014 - 07:28

During last weeks ISC handler panel at SANSFIRE, we had a lot more questions then we could answer. So I am trying to post some of these questions here over the next few days/weeks and please, chime in and give your answers as well. The questions will use the tag "SANSFIRE" and will also be labeled as such in the subject.

The first question we got: "How would one justify to management that setting up honeypots on the network is a good idea?"

The goal of having a honeypot is to learn more about your attackers. A honeypot will only see malicious traffic, making it easy to spot attacks. you can use data from successful attacks against a honeypot to derive indicators of compromise that are then used to detect similar attacks against business systems. Without the honeypot, it would be very difficult to spot these attacks due to all the other traffic a business system sees.

First of all, if you do setup a honeypot, make sure you do so correctly. The last thing you would like to have happen is to have the honeypot pose a risk to your network. Overall, there are a number of different kinds of honeypot. You could setup a "full interaction" honeypot. This is usually a vulnerable host complete with operating system and respective software. These full interaction honeypots do need a lot of care and supervision. They can easily be turned against you. If you decide to set one up: Don't make it too vulnerable. Configure it similar to your production system. The goal is not to find "any" attacker, but attackers that matter.

As an alternative to a full interaction honeypot, you may want to consider a medium-interaction honeypot. These honeypots simulate vulnerable services. They are a lot easier to maintain and generally safer. One such honeypot we discussed in the past is kippo, which simulates a vulnerable ssh server. The problem with these honeypots is that they are easily spotted by a sophisticated attacker. But they do allow you do collect malware attackers upload (so you can search for it on other systems).

Lastly, and in my opinion one of the most useful honeypots, are what some people call "honeytokens". Instead of dedicating a machine to the task of being a honeypot, you add little trap doors to existing applications. 2-3 such trap doors can do a good job identifying attackers who go the extra mile and do some manual work, vs. just running nmap/nessus and similar tools against your site.

Anybody here has a success story how data collected from a honeypot became useful?

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, June 30th 2014 http://isc.sans.edu/podcastdetail.html?id=4043, (Mon, Jun 30th)

Latest Alerts - Sun, 06/29/2014 - 17:00
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Call for packets - Traffic from 116.177.0.0/16, (Fri, Jun 27th)

Latest Alerts - Fri, 06/27/2014 - 16:24

If you have log records or packets for traffic from this particular subnet.  If you have anything you can share I'd appreciate it.  

Likely what you will have is DNS open resolver checks, as well as SSH bruteforce pwd guessing attacks. I'm interested in those as well as anything else from this subnet. 

Regards

Mark H - markh.isc (at) gmail.com

(Thanks to those of you that have provided packets, logs and other info, much appreciated)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

No more Microsoft advisory email notifications? , (Sat, Jun 28th)

Latest Alerts - Fri, 06/27/2014 - 16:23

We had this sent to us today letting us know there will no longer be emails sent by Microsoft for advanced notifications, etc.  Instead people are to use the RSS feeds or other mechanisms.  

********************************************************************
Title: Microsoft Security Notifications
Issued: June 27, 2014
********************************************************************

Notice to IT professionals:

As of July 1, 2014, due to changing governmental policies concerning the issuance of automated electronic messaging, Microsoft is suspending the use of email notifications that announce the following:

* Security bulletin advance notifications
* Security bulletin summaries
* New security advisories and bulletins
* Major and minor revisions to security advisories and bulletins

In lieu of email notifications, you can subscribe to one or more of the RSS feeds described on the Security TechCenter website. 

For more information, or to sign up for an RSS feed, visit the Microsoft Technical Security Notifications webpage at http://technet.microsoft.com/security/dd252948

Not quite sure what legislation changes they might be referring to (haven't seen anything yet). Either way if like me you used to receive these emails, you may no longer and you'll have to subscribe to the RSS feed.  

I couldn't find anything on the Microsoft website (let me know if you can), but when following the links for "sign up for email notification" every page visited only has an RSS or web option, no email.  

Cheers

Mark H  - Shearwater

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

PHP 5.4.30 has been released. More info here http://www.php.net/ChangeLog-5.php#5.4.30, (Sat, Jun 28th)

Latest Alerts - Fri, 06/27/2014 - 16:09
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, June 27th 2014 http://isc.sans.edu/podcastdetail.html?id=4041, (Fri, Jun 27th)

Latest Alerts - Thu, 06/26/2014 - 17:47
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

In case you missed it - Mobile phone search ruling in US, (Fri, Jun 27th)

Latest Alerts - Thu, 06/26/2014 - 17:09

In case you missed it. In the US there has been a ruling that mobile phone searches require a warrant. This may have some implications for those of you that are forensically inclined.  Some articles can be found here: 

  • http://www.smh.com.au/technology/sci-tech/warrant-needed-for-mobile-phone-search-us-20140626-zsm5b.html
  • http://guardianlv.com/2014/06/mobile-phones-protected-by-fourth-amendment/

Regards

Mark H

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, June 26th 2014 http://isc.sans.edu/podcastdetail.html?id=4039, (Thu, Jun 26th)

Latest Alerts - Wed, 06/25/2014 - 17:46
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

VMWare updates, (Wed, Jun 25th)

Latest Alerts - Tue, 06/24/2014 - 20:37

A new update has been released http://www.vmware.com/security/advisories/VMSA-2014-0007.html  It addresses some struts issues.  

http://www.vmware.com/security/advisories/VMSA-2014-0006.html has also been updated (this was the OpenSSL update).  

M

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Do you have some DNS requests/replies you could share?, (Wed, Jun 25th)

Latest Alerts - Tue, 06/24/2014 - 18:03

Looking at DNS traffic it looks like it has been a busy month, but traffic seems to have dropped off. 


port 53 as a target has dropped off and during June there was an increase in traffic with a source port of 53. Something that we've seen on various IDS.  We either see one of two types of packets.  A request for any for a particular domain with the packet size set to 65535 and a spoofed source IP (i.e. the target).  So that accounts for the traffic to port 53.  

The second types of requests we see is from port 53.  Typically with a random source ports and typically to a number of servers in the target network.  The only thing that changes is often the queryid.  So these are likely attempts to poison the cache.  

The third type we see are DNS requests to check for open resolvers and a final type of query we see a lot of are DNS queries with HTTP elements in the traffic.  

There are a few things I'm interested in.  What caused the drop off for port 53 as the target.  What DNS queries are you seeing targetting your environment?  and if you can share, I'd be interested in the actual request itself.  

Regards

Mark H

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, June 25th 2014 http://isc.sans.edu/podcastdetail.html?id=4037, (Wed, Jun 25th)

Latest Alerts - Tue, 06/24/2014 - 17:49
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Spam, talk about false advertising, (Wed, Jun 25th)

Latest Alerts - Tue, 06/24/2014 - 17:38

SPAM SPAM SPAM,  It never fails to entertain.  

Like most of you I get my fair share of SPAM and like a number of you I will happily click links (not a recommendation) and follow the little yellow brick road to whatever malware or "sales" opportunity presents itself.  This one was just a bit more random than others I've received lately.  


A quote for a home security system, great I need one of those the dog is just not interested in chasing away strangers that walk up to the house.  Following the link I end up on the following page, after a redirect from the libbean page. 

Ok, not quite the home security system I was hoping for,  but I like a game as much as the next guy.  Unfortunately hitting the "download for free" button I didn't get the promised flappy birds, but ended up here instead.

 

Now I don't know if Vox software is just a random landing or the SPAM run was commissioned. If the latter there are organisations that have no problem with using SPAM for "legitimate" advertising or they are just not aware.  Not quite sure which is worse.  

So every now and then SPAM does have some entertainment value, at least to me, didn't get my home security system I was promised though, nor fun game to play, ah well. 

Cheers

Mark H

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

NTP DDoS Counts Have Dropped, (Tue, Jun 24th)

Latest Alerts - Tue, 06/24/2014 - 13:49

I was poking around the usual online rags and found a piece on Threat Post. [1]  Mike Mimoso was highlighting the decline of the NTP DDoS hole found earlier in the year.  The ISC covered it in our diary a few months back.  

NTP Reflection Attack 
Ongoing NTP Amplification Attacks
NTP Reflection Attacks Continue

So, I went poking through the port data and noticed a good correlation to the Threat Post story.  The numbers indicate a sharp decrease in vulnerable systems for the NTP monlist issue.   I'd like to suggest that while pundits are citing slow progress for patching Heartbleed, that in actuality, the Heartbleed issue is responsible for the sudden change.  The month of May showed an extensive effort for patching and truing up patch levels because of Heartbleed.  This effort likely assisted in the NTP issue being patched along with it.  The following graph was taken from ISC data gathered here:

https://isc.sans.edu/port.html?&port=123

Feel free to share your thoughts on this one.

[1] http://threatpost.com/dramatic-drop-in-vulnerable-ntp-servers-used-in-ddos-attacks/106835

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, June 24th 2014 http://isc.sans.edu/podcastdetail.html?id=4035, (Tue, Jun 24th)

Latest Alerts - Mon, 06/23/2014 - 19:19
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, June 24th 2014 http://isc.sans.edu/podcastdetail.html?id=4035, (Tue, Jun 24th)

Latest Alerts - Mon, 06/23/2014 - 19:19
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft Interflow announced today at 26th FIRST conference, (Mon, Jun 23rd)

Latest Alerts - Mon, 06/23/2014 - 08:36

Microsoft announced a private preview of Microsoft Interflow today in timing with the 26th FIRST Conference in Boston. While its not available for general release yet this is the first public announcement of a project I've been tracking internally for awhile (I work at MSFT). Be patient, your opportunity is coming, this is good news for the DFIR community. Microsoft Interflow is a security and threat information exchange platform for professionals working in cybersecurity and allows collaboration for a collectively stronger ecosystem, action prioritization through automation, and integration via plug-in architecture. There's a write-up on the benefits as well as an FAQ so you can learn more. Microsoft Interflow, as security automation platform for the exchange of security and threat information, is based on the STIX (Structured Threat Information eXpression), TAXII (Trusted Automated eXchange of Indicator Information), and CyBox (Cyber Observable eXpression standards) specifications. This is all good news as it means that we're getting closer to general release.

Russ McRee | @holisticinfosec

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft Interflow announced today at 26th FIRST conference, (Mon, Jun 23rd)

Latest Alerts - Mon, 06/23/2014 - 08:36

Microsoft announced a private preview of Microsoft Interflow today in timing with the 26th FIRST Conference in Boston. While its not available for general release yet this is the first public announcement of a project I've been tracking internally for awhile (I work at MSFT). Be patient, your opportunity is coming, this is good news for the DFIR community. Microsoft Interflow is a security and threat information exchange platform for professionals working in cybersecurity and allows collaboration for a collectively stronger ecosystem, action prioritization through automation, and integration via plug-in architecture. There's a write-up on the benefits as well as an FAQ so you can learn more. Microsoft Interflow, as security automation platform for the exchange of security and threat information, is based on the STIX (Structured Threat Information eXpression), TAXII (Trusted Automated eXchange of Indicator Information), and CyBox (Cyber Observable eXpression standards) specifications. This is all good news as it means that we're getting closer to general release.

Russ McRee | @holisticinfosec

 

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, June 23rd 2014 http://isc.sans.edu/podcastdetail.html?id=4033, (Mon, Jun 23rd)

Latest Alerts - Sun, 06/22/2014 - 18:13
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts
Syndicate content