Lawman Technology and Consulting Group LLC

-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Charlie Miller discovered a integer overflow error in CoolType.dll when parsing the maxCompositePoints field value in the Maximum Profile table of a TrueType font. PDFs containing specially crafted TrueType fonts can trigger this vulnerability.
Want more information? Check the following document from pages 51 to 58: http://securityevaluators.com/files/papers/CrashAnalysis.pdf
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances, impact is DoS.

Advisory ID: cisco-sa-20100804-asa

http://www.cisco.com/warp/public/707/cisco-sa-20100804-asa.shtml
Cisco Security Advisory: Multiple Vulnerabilities in Cisco Firewall Services Module, impact is DoS.

Advisory ID: cisco-sa-20100804-fwsm

http://www.cisco.com/warp/public/707/cisco-sa-20100804-fwsm.shtml


Cheers,

Adrien de Beaupr

EWA-Canada.com

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

A comment to my earlier lightning diary pointed out that NOAA warned of a large solar eruption that happened on Sunday (August 1st). NOAA monitors Space Weather [1] in an effort to protect satellites. In this case, the effect may be large enough to cause some problems on the ground as well.
These events are not all that unusual, and in most cases there is little ground based damage if any. Long distance radio transmissions and satellite communications are usually affected first. Given our reliance on systems like GPS, an outage may have indirect ground based affects. Sensitive electronics may be affected and outdoor radiation levels may be higher then normal. Long distance power lines may also be affected by the associated changes in earths magnetic field as well as charged particles.
On the fun side: This may lead to more northern lights. Maybe check them out after dark for the next couple of days.
[1] http://www.swpc.noaa.gov/today.html

------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

This weekend, I had a pretty bad lightning strike hit my house. The kind of where you see spark hitting the street in front of the house and your dog jumping in your lap lightning strike. Overall, lightning is a pretty common phenomenon around here. I live in Florida, which appears to be #1 in lightning strikes and casualties in the US [1] . For the 5+ years I live here, the power grid has actually been rather stable during lightning storms, but lately, I had a string of bad luck and would like to share some lessons learned:
So far, I had no damage to equipment completely protected by a UPS/surge protector. I use various types of UPSs, and all performed well so far. Some are rather old and have hardly any battery life left. But they do still work well enough for power spikes/dips as they show up during electrical storms.
The damage I had, in particular in the last storm, affected exclusively network equipment and networking interfaces. I assume that the surge entered the network. Ilost two switches and the wired network interfaces in two PCs. Otherwise, the PCs work fine. So far Ihad not used any network surge protectors, but now started to use the surge protectors provided by the UPS. This appears to work fine, but in some cases, the network now works as half duplex and no longer in duplex mode. I looked into stand alone network surge protectors for some devices, and it turned out to be a bit hard to find one that supports gigabit ethernet. But they are available. The UPS network surge protection is only supposed to work up to 100 Base-T but synced fine at Gigabit (no duplex).
A thunderstorm a couple months ago, caused some interesting damage to my cable modem. Iwas only able to upload 1MByte in a single connection. This was very weird as it also applied to connections inside VPN tunnels, the cable modem shouldn't really see what was happening. But sure enough, swapping the modem fixed the problem. Iadded a surge protector for the cable line as well. One reason I had not done this before was that I had bad experience with surge protectors and cable modems in the past. But my new cable modem (like many others) provides a status screen and the signal-to-noise number did not suffer significantly after adding the surge protector. The surge protector replaced a simple straight through connector which may have caused a similar loss.
Couple other hints:
- do not plug surge protectors into a UPS. If the UPS runs on batteries it will usually generate a steep sine wave which may destroy surge protectors (in particular tricky to find power strips without surge protector)

- do not plug a UPS into a UPS (same reason as above)

- lightning damage can be subtle. None of my equipment has any visible damage

- proper grounding of all lines entering the house is important (around here, I find that utility companies are pretty good about that)

- once the power is out, turn off the main fuse to the house. But be aware the main fuse can be hard to flip. Depending on the nature of the outage you may have some surges and unstable power until the damage is repaired (if you want to know when power comes back, just flip all the individual fuses other then one or two that only power lights)
If you consider a backup generator: Ilooked at many options, but haven't been able to justify one so far. This last outage was 10 hrs long and was by far the longest I have seen. My backup plan is a well charged laptop and a 3G data card to keep me connected. If you consider backup power for a server room, don't forget the AC! For the generators I looked at, the cost to install was almost as much if not more then the cost of the generator. If you do use a portable generator to power individual devices, make sure you do NOT plug the generator into your house wiring before disconnecting the main fuse.
As a quick summary: Surge protectors work. They will probably not save your equipment if the lightning storm rips the electrical wiring out of your walls, but they can help against some pretty nasty strikes. Unplugging your equipment (and WiFi :) ) is better, but not always feasible.
[1] http://www.srh.noaa.gov/mlb/?n=lightning_stats
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

A way back in June I started a discussion on Vulnerability Assessment Testing Automation Part I. isc.sans.edu/diary.html?storyid=9091

In it I mainly focused on one of the primary port scanning and fingerprinting tools in use today, nmap. More importantly getting nmap data parsed and in a nice cozy database where we can query our hearts out, then correlate data points, and pump out snazzy reports. In this diary I'll extend the discussion to include Nessus, also a mainstream tool for performing network vulnerability assessment scanning. One of the issues I have had with Nessus for a long time is the reporting, and most of us write or use other tools to make sense of the reams of data you get from multiple Nessus runs. This one is no different. What it does is parse the newer .nessus V2 file format and import it into a database.



The script is here:

handlers.dshield.org/adebeaupre/parsenessusv2mysql.pl

It makes us of XML::DOM and DBI.



Usage: parsenessusv2mysql.pl xmlfile {dbname dbuser dbpassword}

The database name, database username, and password are all optional cli parameters, they can also be set by editing the appropriate values within the script.



I had been using a different script to parse .nessus v1 files, and was going to add it to this script as well, but changed my mind as I am currently finding it easier to bulk upload v1 files to the Nessus XMLRPC interface and then download them converted to v2.



Unfortunately it also needs some more work, but does the trick. I am more than open to suggestions, or better ways of doing things. Part III will be tips and tricks to using the Nessus XMLRPC interface from the command line. Part IV will be parsing other tool outputs for database import that don't have a fancy XML format. Part V will be the scripts and techniques to wrap all of the other parts together following a reasonable methodology. Let us know if you use this script, something like it, or some other technique to manage security test data. Contact us or use the comment fields below.
Cheers,

Adrien de Beaupr

EWA-Canada.com (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Considering reporting an incident?
Have you just received an incident report?
My, oh my... what are you to do?
Since I am unquestionably the arbiter of all that is good and right on the highways and byways we lovingly call the Internet, Iput together a handy little guide to help you through these trying times. Just think of me as the Miss Manners of Incident Handling. Only I don't wear a dress...
Very often...
Anymore...
What *NOT* To Do When Reporting An Incident

Cop a 'tude: Ok, I can certainly understand that you're feeling a little miffed 'bout the fact that someone took a whack at one of your machines, but really, in my experience, most (i.e. ~99%) of the time the responsible party is many steps removed from the people you'll be contacting-- so venting your spleen on the dude at the receiving end of your email or phone call is just bad form. Save that stuff for telemarketers. (Note: Yes, I understand that telemarketers are often good, wholesome, hardworking folks trying to make ends meet. I just don't care.) If you're all wound up and ready to take names and kick butt, then you're clearly an amateur at incident response. More than likely, that evil Eastern-block hacker with the slicked back hair and bad teeth that you're imagining kicking over your webserver is actually just an unpatched WinXP machine owned by someone's Great Aunt Margaret that got whacked by the latest version of SDBot. Keep the vent-plug locked down tight on your spleen... no one wants you gettin' Great Aunt Maggie all spleeny.
Get All Litigious: This is a subgroup of #1. In this case, instead of questioning whether the 'leet hax0r's parents were married at the time of his/her conception, you whip out the big guns, 'splainin' that you'll rain down all manner o'lawsuits, IRS investigations, and Papal excommunication on the responsible party. Trust me, if the FBI was interested in investigating your incident, you wouldn't be writing about it in an email to abuse@. Doing this just makes you look silly. Stop it.
Look Stupid: A good incident report tells a story: it tells exactly *what* happened and exactly *when* it happened. Stop hacking me! is not an incident report -- it's an exclamatory sentence that reeks of idiocy. Include IP addresses (and, if they resolve, machine names) in your report. Include port numbers. Include times (synchronized to something besides your best stab at clicking Ok while staring at Mickey's hands...). Include (or offer to provide) packet captures. You need to do the work so that the people on the receiving end of your report don't have to... or you'll be ignored. Notice: All of these things imply that *you* actually have a dang clue, have done your homework, and are monitoring your network at some sort of reasonable level. Wow. Who would have thought that you actually needed to know what you're talking about to report an incident?
Plant Your Flag: The Internet sucks when it comes to attribution. WHOIS tells you little and is often wrong about what it *does* tell you, IP addresses rarely reverse resolve, abuse@ email often appears to black-hole, and most ISP support staff gave up caring when they realized that I work in IT isn't really the chick-magnet phrase they thought it would be. With those kinds of odds against you, you're not gonna win many of these... I know it's frustrating when you have someone dead-to-rights and they simply dismiss you, saying, It's not us. Let it go. You've taken the time to try to warn someone about an incident, and sometimes, that's the very best you can do. Persistence isn't a virtue here, and if you cross the line and get abusive about an incident yourself, it can get you in really deep, really fast.
Blame TheVictim: Not everyone is as 'leet as you... nor are they as good looking, suave, sophisticated and debonair. (Very few of us are...) But, because you're also as intelligent as you are attractive, you know that you shouldn't look down on someone who got 0wned. It's bad karma, and as these things always happen, you'll undoubtedly be next. Offer help if the situation warrants it. Explain what they need to do if they seem clueless. But why am I telling you this? You're also kindhearted and generous to a fault. Aren't you?
Give up: We've all been there-- you look at the stream of evil stuff constantly raining down on your network, and you despair. All I can say is don't give up. You've reported incident after incident, and it appears to go nowhere. Trust me, I know. I run a honeypot system... I get attacked on purpose, and I've probably sent thousands of emails reporting incidents. It never fails: just when I get to the point where I'm feeling like I'm trying to sop up the ocean with a paper towel (and I'm ready to throw in said towel), someone will actually reply and say thank you. They come in all kinds of ways: I had a guy call me back about an hour after I originally talked to him when he was... well... a bit rude. He explained that he was very suspicious when I initially called, but when he actually checked out what I had told him and found out that he *did* have an infected machine on his network, he just had to call back and say thanks. Years ago, I actually got a very nice Harry and David gift basket from a company I contacted when they had a server compromised. While I wouldn't sit by the front door waiting for the UPS guy to bring you largess, trust me, someone out there does appreciate what you're doing.

What *NOT* To Do When Someone Reports An Incident

Cop a 'tude: While I fully support you being skeptical/wary when someone calls you out of the blue to report an incident, skeptical and rude are two different things. If the person reporting an incident seems to be asking intrusive questions, feel free to say I really don't feel comfortable answering that and ask them politely to provide whatever information they can. If it's someone trying to scam you, well... you've been polite to a scammer... certainly not the end of the world. But if the incident turns out to be real, you're gonna feel really, REALLY bad if you were rude and demeaning to someone who was just trying to help you out. (And, if you don't feel bad, then you should seriously start looking around for your soul... 'cause it must've fallen out of you recently. Look over in the corner, behind the filing cabinet.)
Get All Litigious: I once called up the Superior Court of an unnamed California county to report that their website had been whacked and was currently advertising both erectile dysfunction medications and hot teens (i.e. they had the sex and the drugs... all they needed was some rock n'roll...). After the normal shuffling back and forth to various people who assured me that this issue wasn't their responsibility, somehow I ended up being palmed off on some County attorney who proceeded to explain all of the legal hell he was going to rain down on me for hacking their website. My opinion of Mr. Lawyer wasn't improved by the fact that he was clearly in negative-clue territory in his understanding of how the Intertubes worked. I finally silenced him when he asked me How could you possibly know that this existed on our site if you didn't do it? by giving him a very simple string of text to type into the mythical oracle of all knowledge known as Google. Don't even think of accusing someone who *contacts you* of being the bad guy. Doing this just makes you look silly. Stop it.
Look Stupid: If I had a nickel for everyone who told me they couldn't be the source of an attack because they run a) a firewall or b) antivirus, I would have... well... a lot of nickels. (Probably not enough to buy me another nice Harry and David gift basket, but still... a lot of nickels.) Come on... antivirus? A firewall? Really? If you're in IT and you truly believe that the fact that you're running a firewall or AV has any bearing on whether one of your machines could be infected and attacking others on the 'Net, then I have a bridge for sale. Really. I do. It's very pretty. Trust me.
Plant Your Flag: Liston's Law of 'Net Karma: If you're stupid enough that, without checking, you would actually tell someone that an attack couldn't possibly be sourcing from your network, then the attack *is* sourcing from your network. Don't get cocky, 'cause you never know. If someone tells you that you have an issue, ESPECIALLY if that someone provides you with detailed information, check it out -- do NOT just dismiss it. Look at it this way: if your network is reasonably well-monitored, its not going to take you *that* long to confirm or deny... if it does, well then, your network isn't as well-monitored as you thought, now is it? Someone out there in Internet-land took the time to tell you that they think your network may be spewing badness -- the very *least* you can do is to look at some logs.
Play The Victim: You got 0wned. Something, somewhere went wrong. Man up (or woman up, but that just sounds weird...) and take 0wnership of the 0wning. It happened. Learn a lesson, fix something, and move on. Yes, you are a victim, just don't act like one.
Forget To Say Thank You: What? When your momma 'splained about manners were you spending your time pickin' your nose? (If so, you should've picked a better one... have you seen that thing between your eyes? Eeeesh!) Someone just did something nice for you. they just took the time to deliver it to you, and the least (the VERY least) you can do is acknowledge them for it. No one likes to learn that their network has been 0wned, but would you really rather NOT know? And for those of you in the if-I-don't-acknowledge-it,-it-didn't-happen camp, come on! (And yes, I know that this is actually POLICY in some organizations...) Remember: THEY KNOW! They told YOU! Do you really think that the mind on the other end of that email or phone call you received will fall prey to the Jedi mind game you THINK you're perpetrating by not responding? Oh, I guess since they never replied, those 5000 SSH login attempts never really happened... No! They're just sitting back and thinking that you're a pretty big jerk for not even acknowledging their effort to let you know 'bout the problems you have. Seriously folks, tell your corporate counsel to go play with their briefs and send out a thank you... you don't need to admit to anything: just say thank you for telling about this issue, we're looking into it. A little common courtesy goes a long way, and for those of us in the trenches who actually take the time to let people know about these things, a thank you email is a lifeline. Harry and David gift baskets are nice too.

Tom Liston - Handler - SANS Internet Storm Center

Senior Security Analyst - InGuardians, Inc.

Director, InGuardians Labs

Chairman, SANS Virtualization and Cloud Computing Summit

Twitter: @tliston

My honeypot tweets: @netmenaces (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

There are many companies that are using windows kiosk to provide people an alternate way to provide automated customer service. These kiosk are even developed sometimes by the same company.
How to tell if they provide enough security level? When I have had to answer that question, I have found useful iKAT, which is a tool to test how secure is a Kiosk by telling if it can spawn a shell or other programs, crash the browser, navigate to forbidden sites, among many other interesting plugins. You can also find iKAT for Linux.
Please note that the link has some advertising banners which may be deemed not suitable for working envrionments.
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

As announced on Friday, Microsoft released an out-of-band bulletin to address the recent Shortcut/LNK exploits. As confirmed in Microsoft's announcement, various malware is now attempting to exploit this vulnerability. The vulnerability is rather easy to exploit in particular given the tools available to craft necessary shortcuts.
Clients are the main target but servers are as vulnerable and should be patched as soon as possible. Please report any issues you have with the patch !





#
Affected
Contra Indications
Known Exploits
Microsoft rating
ISC rating(*)


clients
servers





MS10-046
Vulnerability in Windows Shell (LNK/Shortcut)


Windows Shell

CVE-2010-2568
KB 2286198
actively exploited.
Severity:Critical

Exploitability: 1
PATCH NOW!
PATCH NOW!






-----

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Guess what: it is possible!. Judy Novak posted an excellent article demonstrating it. Read it at http://www.packetstan.com/2010/07/potential-evasion-where-ips-fails-to.html
-- Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander| http://manuel.santander.name| msantand at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Microsoft is planning to release an out of band patch addressing the Shortcut vulnerability. The patch is scheduled for release on Monday, August 2nd, at 10am PDT.
As confirmed by Microsoft, a number of malware families started incorporating the vulnerability in their exploit repertoire. For more details, see the Microsoft Technet blog post [1]

[1] http://blogs.technet.com/b/msrc/archive/2010/07/29/out-of-band-release-to-address-microsoft-security-advisory-2286198.aspx
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Wireshark released an update to fix multiple vulnerabilities in version 1.2.0. to 1.2.9. This release fixes several bugs. Wireshark indicated that It may be possible to make Wireshark crash, hang, or execute code by injecting a series of malformed packets onto the wire or by convincing someone to read a malformed packet trace file.
References for the 1.2.x branch:
Release announcement is available here.
Release Notes and bug fixes is available here.
Reference for the 1.0.x branch:
Release announcement is available here.
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

httpry is a tool specialized for the analysis of web traffic. The tool itself can be used to capture traffic (httpry -o file) but other other tools are better suited for that such as tcpdump, Snort, Sguil. When it comes to finding out if certain types of files were downloaded via http, this tool does a super job. It can be used in combination with regular expressions (Regex) to find if a file, a script or a malware was downloaded from site or by a host and will ignore everything else. Whether the http traffic is using port 80, 443, 8080, etc, it will parse and display all the web traffic using this simple command:
httpry -i eth0
If you are working with a large pcap file and want to filter on a particular IP or network, httpry support libpcap filters to zoom in on the web traffic you want to analyze. This libpcap filter will show all the web traffic associated with host 192.168.5.25 using this filter:
httpry -r file 'host 192.168.5.25'
07/28/2010 18:00:02 192.168.5.25 216.66.8.10 GET www.symantec.com /enterprise/security_response/threatexplorer/threats.jsp HTTP/1.0 - -

07/28/2010 18:00:02 216.66.8.10 192.168.5.25 - - - HTTP/1.0 301 Moved Permanently

07/28/2010 18:00:02 192.168.5.25 216.66.8.16 GET www.symantec.com /business/security_response/threatexplorer/threats.jsp HTTP/1.0 - -

07/28/2010 18:00:03 216.66.8.16 192.168.5.25 - - - HTTP/1.0 200 OK

07/28/2010 18:00:03 192.168.5.25 67.97.80.71 GET vil.nai.com /VIL/newly_discovered_viruses.aspx HTTP/1.0 - -

07/28/2010 18:00:03 192.168.5.25 67.97.80.71 GET vil.nai.com /VIL/newly_discovered_viruses.aspx HTTP/1.0 - -

07/28/2010 18:00:03 67.97.80.71 192.168.5.25 - - - HTTP/1.1 200 OK

07/28/2010 18:01:48 74.125.157.101 192.168.5.25 - - - HTTP/1.1 200 OK

07/28/2010 18:01:48 192.168.5.25 173.194.15.95 GET safebrowsing-cache.google.com /safebrowsing/rd/ChNnb29nLW1hbHdhcmUtc2hhdmFyEAEYlZQCIJaUAioFFooAAAEyBRWKAAAB HTTP/1.1 - -

07/28/2010 18:01:48 173.194.15.95 192.168.5.25 - - - HTTP/1.1 200 OK


If you are checking for a particular file extension such as.exe, .js, .msi, .jpg, etc, if you combined your search with grep, httpry can be used to find if any binaries (i.e. malware) were downloaded from a certain site or by a particular client using a pcap captured files. In this example we grep for all the JavaScript transffered by host 192.168.5.25.
httpry -r file 'host 192.168.5.25' | grep \.js
07/28/2010 10:57:08 192.168.5.25 69.192.143.238 GET www.quickquote.lincoln.com /static/com/forddirect/presentation/constants/SkinConstants_lincoln.js HTTP/1.1 - -

07/28/2010 10:57:08 192.168.5.25 69.192.143.238 GET www.quickquote.lincoln.com /yui/yahoo-dom-event/yahoo-dom-event.js HTTP/1.1 - -

07/28/2010 10:57:08 192.168.5.25 69.192.143.238 GET www.quickquote.lincoln.com /static/com/forddirect/application/bp20/metrics/s_code.js HTTP/1.1 - -


The httpry website is here. The tarball can be download here and a freeBSD port here.


-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Fellow handler Kevin points us to new developments on this case, announced here ==www.fbi.gov/pressrel/pressrel10/mariposa072810.htm
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

New versions of Snort (Beta and Production)are both out. Release notes are here == http://www.snort.org/news/2010/07/28/snort-2-8-6-1-and-snort-2-9-beta-released/



New features that I'm finding interesting in 2.9 (Beta):

A Data Acquisition API (DAQ) is introduced in this version
A byte extract option that bears some investigation - this allows extracted values from one rule to be used in subsequent rule options
Some welcome updates for IPv6
Support for Intel's QuickAssist for use in pattern matching. This is by far the most interesting feature in the bunch (to me at least) - support for hardware based acceleration (on boxes that have this feature). QuickAssist uses FSB attached FPGAs for this, so builds on previous FPGA work. Attaching the FPGAs to the server FSB overcomes previous limitations in FPGA I/O rates (talk about the sledgehammer approach!), this likely raises the maximum throughput for Snort considerably!

More info on Quck Assist, and Snort's integration with it can be found here == http://www.intel.com/technology/platforms/quickassist/

and here ==http://download.intel.com/embedded/applications/networksecurity/324029.pdf

If anyone has used the new QuickAssist feature and has formal or informal benchmarks, please feel free to comment !
=============== Rob VandenBrink, Metafore =============== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

Paul wrote in to tell us about the new version of NoScript just out ==http://noscript.net/
The main new feature is protection against the Craig Heffner's DNSrebinding attack that's getting some press, which will be presented at Blackhat.this week ==http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Heffner
The protection is pretty simple - look up the public ip of the workstation, and place it in the LOCALpseudo list. It uses a public site https://secure.informaction.com/ipecho for this - I can't comment at this time if this is a safe site to use for this or not.
If anyone has more info on this please feel free to comment.
=============== Rob VandenBrink Metafore =============== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

This year's data breach report continues this valuable narrative. This years report is based on a larger case sample than in previous years, thanks to a partnership with the United States Secret Service, who contributed information on a few hundred of their cases this year. Many of the findings echo those of previous years (excerpts below).


Who is behind Data Breaches?

70% resulted from external agents

48% caused by insiders

11% implicated business partners

27% involved multiple parties



How do breaches occur?

48% involved privilege misuse

40% resulted from hacking

38% utilized malware

28% involved social tactics

15% comprised physical attacks



What commonalities exist? (this was the interesting section for me)

98% of all data breached came from servers

85% of attacks were not considered highly difficult

61% were discovered by a third party

86% of victims had evidence of the breach in their log files

96% of breaches were avoidable through simple or intermediate controls

79% of victims subject to PCI DSS had not achieved compliance



Come on! Not only don't folks seem to be implementing some basic protections, but when they're told that they've been compromised (in their log files), no-one is listening! I guess this isn't much different than in previous years, but it'd be nice to see a positive trend here.



I'm not sure that I believe the low numbers for government data breaches (4%). I guess the report can only summarize data from cases that are seen by the incident handlers.
Find the full report here ==http://www.verizonbusiness.com/resources/reports/rp_2010-data-breach-report_en_xg.pdf
Take a few minutes to read it over coffee this morning - Ifound it a good read, and just about the right length for that first cup !
=============== Rob VandenBrink, Metafore ===================== (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

According to this announcement:

http://secunia.com/advisories/40780/

The problem is that passwords may in certain cases be logged to /var/log/messages while running GNOME Display Manager in debug mode (disabled by default)



This was originally reported on 02-15-2009 here:

https://bugzilla.gnome.org/show_bug.cgi?id=571846

A patch was issued the same day. A supported patch was issued 05-14-2010.



The secunia advisory did not have many details.

The sunblog link provided did not have very much information.

http://blogs.sun.com/security/entry/cve_2010_2387_password_disclosure



The CVE is reserved and not available yet.

The rest of the information is apparently in the Customer Are.



Does this mean we can count on a no public disclosure policy for SUN products now that Oracle owns them?













(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.