Latest Alerts

Syndicate content SANS Internet Storm Center, InfoCON: green
Updated: 27 min 20 sec ago

Adobe December Patch Tuesday, (Wed, Dec 10th)

Tue, 12/09/2014 - 17:24

Adobe today released two new bulletins, and updaed the Reader/Acrobat bulletin that was published a week ago.

">This update fixes 6 vulnerabilities, some of which can lead to remote code execution. Adobe rates this patch with a priority of 1">This updates fixes 20 different vulnerabilities. The bulletin has a rating of 1.">This bulletin applies to ColdFusion 10 and 11 and fixes a denial of service vulnerability (CVE-2014-9166). The vulnerability has not been used in any exploits so far.

http://helpx.adobe.com/security.html

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft Patch Tuesday - December 2014, (Tue, Dec 9th)

Tue, 12/09/2014 - 11:25

Overview of the December 2014 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*) clients servers MS14-075 Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege
(Replaces MS13-105) Microsoft Exchange

CVE-2014-6319
CVE-2014-6325
CVE-2014-6326
CVE-2014-6336 KB 3009712 . Severity:Important
Exploitability: N/A Important MS14-080 Cumulative Security Update for Internet Explorer
(Replaces MS14-065) Microsoft Windows, Internet Explorer
CVE-2014-6327, CVE-2014-6328, CVE-2014-6329, CVE-2014-6330, CVE-2014-6363, CVE-2014-6365, CVE-2014-6366, CVE-2014-6368, CVE-2014-6369, CVE-2014-6373, CVE-2014-6374, CVE-2014-6375, CVE-2014-6376, CVE-2014-8966 KB 3008923 . Severity:Critical
Exploitability: Critical Critical MS14-081 Vulnerabilities in Microsoft Word and Microsoft Office Web Apps Could Allow Remote Code Execution
(Replaces MS14-017 MS14-061 MS14-069) Microsoft Office

CVE-2014-6356
CVE-2014-6357 KB 3017301 . Severity:Critical
Exploitability: Critical Important MS14-082 Vulnerability in Microsoft Office Could Allow Remote Code Execution
(Replaces MS09-060) Microsoft Office

CVE-2014-6364 KB 3017349 . Severity:Important
Exploitability: Critical Important MS14-083 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution
(Replaces MS13-085) Microsoft Office

CVE-2014-6360
CVE-2014-6361 KB 3017347 . Severity:Important
Exploitability: Critical Important MS14-084 Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution
(Replaces MS14-011) Microsoft Windows

CVE-2014-6363 KB 3016711 . Severity:Critical
Exploitability: Critical Critical MS14-085 Vulnerability in Microsoft Graphics Component Could Allow Information Disclosure Microsoft Windows

CVE-2014-6355 KB 3013126 vuln. public. Severity:Important
Exploitability: Important Important We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY (*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become interesting">Less Urt practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
    • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threatatches.

--
Alex Stanford - GIAC GWEB GSEC
Research Operations Manager,
SANS Internet Storm Center

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, December 9th 2014 http://isc.sans.edu/podcastdetail.html?id=4267, (Tue, Dec 9th)

Mon, 12/08/2014 - 17:09
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

POODLE Strikes (Bites?) Again, (Tue, Dec 9th)

Mon, 12/08/2014 - 17:08

As Adam Langley notes in hisblog [1], the POODLE vulnerability may be found in some implementations of TLS, not just in SSLv3.

The problem is an implementation issue, not so much a problem with the standard as in the original SSLv3 instance. The POODLE vulnerability was caused by SSLv3s use of unspecified, and unprotected use of padding. In TLS, the padding is specified, and TLS should no longer be vulnerable to the attack. However, it turns out that some implementations will not verify if the correct padding was used. An incorrect padding would go unnoticed (just like in SSLv3) and could lead to the POODLE problem.

On the other hand: We still havent seen widespread (any?) exploitation of the POODLE vulnerability. So focus on what Microsoft has to offer first today, then take a look if you still have some outstanding Poodles in your network. F5 load-balancers apparently suffer from the new problem.

In addition, Heise.de notes that KasperskysInternet Security product, which implements a proxy on the protected host, still supports SSLv3 and may cause connections to be downgraded to SSLv3, even if the users browser no longer supports SSLv3.

[1] https://www.imperialviolet.org

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, December 8th 2014 http://isc.sans.edu/podcastdetail.html?id=4265, (Mon, Dec 8th)

Sun, 12/07/2014 - 19:19
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Stop Admiring The Problem. Start Addressing The Problem., (Mon, Dec 8th)

Sun, 12/07/2014 - 16:30
How much energy do you spending admiring your problems? It does not matter what the problem is - asset inventory, vulnerability management or security awareness. You do have problems. What are you doing to make your current problem less of a problem?Set your problems aside for just a minute and take a brief journey to explore how your problems can be viewed as an opportunity."> ">I have been guilty of this behavior in the area of vulnerability management. I was so focused on making sure that everything was scanned on a regular basis that I failed to work with the system and application administrators to help them remediate the vulnerabilities the scanners had identified.A much better alternative to just scanning everything on your network is to scan for a brief amount of time and then stop. Stop long enough to fix some issues the scanner identified and then go back and confirm they really were fixed. It does not have to be complicated. Perhaps you can use a simple chart that shows what was found, what was corrected and what still needs to be corrected.">">Collecting a bunch of High rated vulnerabilities addsno value. Correcting High rated vulnerabilities adds tremendous value.Instead of throwing missing patches over the fence to your administrators, offer help to them in their time of need. Maybe there is a valid business reason the administrators are not responding as quickly as you would like. Maybe they need extra support from your security or compliance teams to make progress in this area. Maybe they could use your help to focus on a solution to this problem.">">Every person should take time to make undeniable progress on one of their security problems because of the positive impact it will make on the security posture of their organization. Make progress,even if it is just baby steps. Make a move in the right direction to become the change agent that is desperatelyneeded.">">What can you do right now to be the catalyst for the positive change your organization so desperately needs?">">">securityeverafterat gmail dot com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Google App Engine Java Security Sandbox bypasses, (Sat, Dec 6th)

Sat, 12/06/2014 - 12:54

Adam Gowdiakfrom Polish vulnerability research company Security Explorations has issued an announcement concerningvulnerabilites in the Google App Engine. Details are still somewhat thin, but it appears that multiple vulnerabilities have been discovered and thatsome of these vulnerabilities will allowa Java VM sandbox escape.

Further information is available at Full Disclosure archive at seclists.org.

-- Rick Wanner - rwanner at isc dot sans dot org - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

VMware new and updated security advisories, (Fri, Dec 5th)

Fri, 12/05/2014 - 01:35

Today VMware has released the following new and updated security
advisories:

1-VMSA-2014-0012

Summary

VMware vSphere product updates address a Cross Site Scripting issue, a certificate validation issue and security vulnerabilities in third-party libraries.

Relevant releases:

VMware vCenter Server Appliance 5.1 Prior to Update 3

VMware vCenter Server 5.5 prior to Update 2
VMware vCenter Server 5.1 prior to Update 3
VMware vCenter Server 5.0 prior to Update 3c

VMware ESXi 5.1 without patch ESXi510-201412101-SG

Problem Description
a. VMware vCSA cross-site scripting vulnerability
b. vCenter Server certificate validation issue
c. Update to ESXi libxml2 package
d. Update to ESXi Curl package
e. Update to ESXi Python package
f. vCenter and Update Manager, Oracle JRE 1.6 Update 81


http://www.vmware.com/security/advisories/VMSA-2014-0012.html

2-VMSA-2014-0002.4

Summary

VMware has updated vSphere third party libraries.
Relevant Releases
vCenter Server Appliance 5.5 prior to 5.5 Update 1
vCenter Server Appliance 5.1 prior to 5.1 Update 3

VMware vCenter Server 5.5 prior 5.5 Update 1

VMware Update Manager 5.5 prior 5.5 Update 1

VMware ESXi 5.5 without patch ESXi550-201403101-SG
VMware ESXi 5.1 without patch ESXi510-201404101-SG
VMware ESXi 5.0 without patch ESXi500-201405102-SG
VMware ESXi 4.1 without patch ESXi410-201404401-SG
VMware ESXi 4.0 without patch ESXi400-201404401-SG

VMware ESX 4.1 without patch ESX410-201404402-SG
VMware ESX 4.0 without patch ESX400-201404402-SG

Problem Description:

a. DDoS vulnerability in NTP third party libraries
b.Update to ESXi glibc package
c. vCenter and Update Manager, Oracle JRE 1.7 Update 45

for further details please refer to:
http://www.vmware.com/security/advisories/VMSA-2014-0002.html

3-VMSA-2014-0008.2
Summary
VMware has updated vSphere third party libraries
Relevant releases
VMware vCenter Server 5.5 prior to Update 2
VMware vCenter Server 5.1 prior to Update 3
VMware vCenter Server 5.0 prior to Update 3c

VMware vCenter Update Manager 5.5 prior to Update 2

VMware ESXi 5.5 without patch ESXi550-201409101-SG
VMware ESXi 5.1 without patch ESXi510-201412101-SG
Problem Description
a. vCenter Server Apache Struts Update
b. vCenter Server tc-server 2.9.5 / Apache Tomcat 7.0.52 updates
c. Update to ESXi glibc package
d. vCenter and Update Manager, Oracle JRE 1.7 Update 55

for further information please refer to:
http://www.vmware.com/security/advisories/VMSA-2014-0008.html

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Friday, December 5th 2014 http://isc.sans.edu/podcastdetail.html?id=4263, (Fri, Dec 5th)

Thu, 12/04/2014 - 19:35
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Automating Incident data collection with Python, (Thu, Dec 4th)

Wed, 12/03/2014 - 18:49

One of my favorite Python modules isImpacketby the guys at Core Labs. Among other things it allows me to create Python scripts that can speak to Windows computers over SMB. I can use it to map network drives, kill processes on a remote machine and much more. During an incident having the ability to reach out to allthe machines in your environment to list or kill processes is very useful. Python andImpacketmake this very easy. Check it out.

After installing Impacketall of the awesome modules are available for use in your Python scripts. In addition to the modules,Impacket also includes several sample programs. Awesome tools like psexec.py gives you functionalitylike Microsofts PSEXECplus pass-the-hash in an easily automatedformat. Have you ever wished you could run wmic commands from linux? Let use wmiexec.py to run a command on a remote windows machine from Linux. You just provide the tools with a username, password, Target IP address and a wmic command to run on the target machine. For example, this is how" />

WMIC from my linux server is awesome, but the best part is thatthis is Python!. So instead of running wmiexec.py I can import it as a module and use in a python script. Ill start out in the same directory as wmiexec and launch python. Then import wmiexec and create a variable to hold a WMIEXEC object. In this case Ill create a variable called wmiobjthat points to a WMIEXEC object. The first argument is the command I want to run. In this case I run a WMIC command that willthat finds the path of the executable for every copy of a process with cmd somewhere in the process name. The only other arguments are the username, password and share=ADMIN$." />

In this case one of the command prompts is running from a users temporary directory. That merits some additional investigation! With those 3 simple lines of Python code we were able to automate the query to a single host. Because it is Python we can easily use a for loop torun this on every workstation on our network, capture those result and compare them. Find the host with processes that arent running on any of the the otherhosts! Find the host with unique unusual network connections! Then, if the conditions are right, automate something to isolate it.

Interested in learning more? Come check out SEC573 Python for Penetration Testers. You will learn Pythonstarting from ground zero and learn how to automate all the things. Join me at CyberGuardian on March 2 or in Orlando on April 11.

Check out the courses here:

http://www.sans.org/course/python-for-pen-testers

Mark Baggett

twitter:@MarkBaggett

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, December 4th 2014 http://isc.sans.edu/podcastdetail.html?id=4261, (Thu, Dec 4th)

Wed, 12/03/2014 - 17:50
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, December 3rd 2014 http://isc.sans.edu/podcastdetail.html?id=4259, (Wed, Dec 3rd)

Tue, 12/02/2014 - 19:32
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

OpenVPN server DoS vulnerability fixed, (Tue, Dec 2nd)

Tue, 12/02/2014 - 16:09

The OpenVPN folks released a security advisory and updates to its server software yesterday for a vulnerability that has existed in the source code since 2005. CVE-2014-8104 is a vulnerability that can result in an OpenVPN server crashing when sent a too-short control channel packet. Note, that in their words both client certificates and TLS auth will protect against this exploit as long as all OpenVPN clients can be trusted to not be compromised and/or malicious. If Im reading this correctly, this means that adding tls-auth keyfile (0|1) (as appropriate) to the configuration files on both server and client as well as using client certificates should protect against this attack. Folks running OpenVPN servers are strongly urged to update to v2.3.6 as soon as possible. The fixes have also been backported to v2.2 and can be found in the git repository, but may also exist in earlier v2.x code if anyone is still running old server software. Note that the v3.x code used in most OpenVPN Connect clients (such as those for Android and iOS) are not vulnerable. My Ubuntu systems got the update last night, so if you are running an OpenVPN server on Linux hopefully the patches are available via the usual package update mechanism or soon will be.

References:

https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Does Your Vulnerability Scanner Speak Portuguese?, (Tue, Dec 2nd)

Tue, 12/02/2014 - 10:39

Rodrigo Montoro and Joaquim Espinharadid an interesting test, and like so many interesting tests, it is actually pretty obvious in hindsight: They looked at different vulnerability scanners, and checked how they behave if a web site is coded in a language other then English [1]. The quick answer: They pretty much fail. The presentation is looking at a couple of open source and commercial scanners, and threw in snort as an IDS. Turns out all of the scanners (and snort) have issues recognizing evidence of vulnerabilities (like SQL error messages) if the language is changed to anything but english.

Lessons?

- dont just trust your vulnerability scanner. A clean bill from a basic vulnerability scanner doesnt mean you have no vulnerabilities.
- watch your error logs while the scan is in progress. You may find a lot more evidence of problems that way, in particular if you are not very forthcoming on error messages.
- configure your scanner (and in the case of snort: your IDS) correctly. Maybe adjust your server configuration to make it easier for the scanner to find problems.
- and yes... a web site written in Klingon is likely much more difficult to hack, but also not that useful (they dont pay!)

On a similar note: Some sites use different code for different language versions of the site. In this case, it is very important to test all language versions, which may not be easy.

[1]http://www.slideshare.net/spookerlabs/lost-in-translation-blackhat-brazil-2014

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

We will be performing some extensive updates to our backend today. Sorry for any outages/errors you may be seeing. , (Tue, Dec 2nd)

Tue, 12/02/2014 - 05:50

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, December 2nd 2014 http://isc.sans.edu/podcastdetail.html?id=4257, (Tue, Dec 2nd)

Mon, 12/01/2014 - 17:54
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Dridex Phishing Campaign uses Malicious Word Documents, (Mon, Dec 1st)

Mon, 12/01/2014 - 09:48

This is a guest diary submitted by Brad Duncan.

During the past few months, Botnet-based campaigns have sent waves of phishing emails associated with Dridex. Today, well examine a wave that occurred approximately 3 weeks ago. The emails contained malicious Word documents, and with macros enabled, these documents infected Windows computers with Dridex malware.

Various people have posted about Dridex [1] [2], and some sites like Dynamoos blog [3] and TechHelpList [4] often report on these and other phishing campaigns.

Lets take a closer look at one of the November phishing waves.

On 11 Nov 2014, I saw at least 60 emails with Duplicate Payment Received in the subject line." />

After opening the attached Word document on a Windows host, Dridex was downloaded if macros were enabled." />

Shown above: events from Sguil in Security Onion.

File hashes changed during this wave of emails, indicating at least 3 different Word documents were used. During this phishing run, Dridex malware came from IP addresses in the 62.76.185.0/24 block.">Brad Duncan is a Security Analyst at Rackspace, and he runs a blog on malware traffic analysis at">http://www.malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Flushing out the Crypto Rats - Finding "Bad Encryption" on your Network, (Mon, Dec 1st)

Mon, 12/01/2014 - 06:45

Just when folks get around to implementing SSL, we need to retire SSL! Not a week goes buy that a client isnt asking me about SSL (or more usually TLS) vulnerabilities or finding issues on their network.

In a recent case, my client had just finished a datacenter / PCI audit, and had one of his servers come up as using SSL 2.0, which of course has been deprecated since 1996 - the auditors recommendation was to update to SSL 3.0 (bad recommendation, keep reading on).">1/ W-a-a-a-y too many assessments consist of scanning the target, and pasting the output of the scanning tool into the final report. ">2/ In this case, the person writing the report had either not read the text they were pasting, or was not knowledgeable enough to understand that updating from SSL 2 to SSL 3 wasnt going to get to a final good state. Shame on them either way!

As a side note, if the site (it was on an internal network remember) was running plain old HTTP, then the scanner would not have identified a problem, and the person behind the scanner would very likely have missed this completely! (OOPS)

Anyway, my clients *real* question was how can we scan our network for vulnerable SSL versions and ciphers, but not pay big bucks for an enterprise scanning tool or a consultant?

My answer was (that day) - NMAP of course!

To check for weak or strong ciphers on a server or subnet, use the script ssl-enum-ciphers">nmap -Pn -p443 isc.sans.edu --script=ssl-enum-ciphers">Nmap scan report for isc.sans.edu (66.35.59.249)
Host is up (0.097s latency).
rDNS record for 66.35.59.249: isc.sans.org
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| compressors:
| NULL
|_">Nmap done: 1 IP address (1 host up) scanned in 34.63 seconds

You can scan specifically for SSHv2 devices using the script sshv2.nse">nmap -Pn -p443 --open">Nmap scan report for 192.168.122.246
Host is up (0.029s latency).
PORT STATE SERVICE
443/tcp open https
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_CBC_128_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC2_CBC_128_CBC_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
MAC Address: 00:E0:81:CE:9E:74 (Tyan Computer)

NMAP also has scripts ssl-heartbleed script (if youre still focused on that), and has an ssl-poodle script, but youll need to download that one from their script page at http://nmap.org/nsedoc/scripts/ - its not in the base installation.

While youre at it, take a look at cipher support on any SSH enabled devices on your network - you are likely to be surprised at what you find. For instance, this is the management interface of my home firewall - Im not thrilled with the 3des-cbc and MD5 support, but I guess thats why there">Nmap scan report for 192.168.122.1
Host is up (0.0020s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh2-enum-algos:
| kex_algorithms: (1)
| diffie-hellman-group1-sha1
| server_host_key_algorithms: (1)
| ssh-rsa
| encryption_algorithms: (4)
| aes128-cbc
| 3des-cbc
| aes192-cbc
| aes256-cbc
| mac_algorithms: (4)
| hmac-sha1
| hmac-sha1-96
| hmac-md5
| hmac-md5-96
| compression_algorithms: (1)
|_">Nmap done: 1 IP address (1 host up) scanned in 47.39 seconds

Or, for a real eye-opener, scan your subnet for SSHv1 enabled devices - note that this scan (and the previous one) assumes that your SSH service is on port 22. In a zero knowledge scan, youd of course scan a wider range of ports (all of them if there">nmap -Pn -p22 192.168.122.0/24 --script=sshv1.nse

This scan didnt find anything at my house, but it *always* finds stuff at client sites!

What crypto support issues have you found when you scanned for them? And how long do you thing these problems were there? Please, share your story using our comment link!

===============
Rob VandenBrink
Metafore

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, December 1st 2014 http://isc.sans.edu/podcastdetail.html?id=4255, (Mon, Dec 1st)

Sun, 11/30/2014 - 18:37
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Do you have a Data Breach Response Plan?, (Mon, Dec 1st)

Sun, 11/30/2014 - 16:12

The Ponemon Institute conducted and released a paper in September on its second annual study on data breaches. Some of the data collected shows interesting results. Based on their survey, 68% of respondents dont believe their company would know how to deal with negative public opinion and 67% think their organization does not understands what to do after a data breach occurs.[page 3] If either one occurs, it usually impact the brand, it can lead to lost of customers and shake business partners trust and confidence in the company.

They also found that more companies now have a data breach response plan 73% in 2014 compared to 61% last year. According to this survey, only ~30% of the response plans are effective or very effective.[page 4] The report suggest to be effective, the organization must provide training to its employees, to make them aware of their responsibilities on how to protect customer information when a data breach occurs.

There are several template of data breach response plan freely available to get you started. If you have one in place, how often is it reviewed and exercised? Do your receive training on how to properly safeguard customers sensitive data? The study can be downloaded here.

[1] http://www.experian.com/assets/data-breach/brochures/2014-ponemon-2nd-annual-preparedness.pdf [page 3,4]
[2] https://privacyassociation.org/resources/article/security-breach-response-plan-toolkit/
[3] http://www.cica.ca/resources-and-member-benefits/privacy-resources-for-firms-and-organizations/docs/item48785.pdf
[4] http://www.justice.gov/sites/default/files/opcl/docs/breach-procedures.pdf
[5] http://www.securingthehuman.org

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts