Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

"Death" of Internet Services

Published: 2014-09-02
Last Updated: 2014-09-02 16:13:12 UTC
by Rob VandenBrink (Version: 1)
0 comment(s)

No, we're not talking about 1940's literature today - I've been reading, as have many, that Microsoft is planning to finally stop the venerable MSN Messenger Chat service. I find it interesting that the press is touting that MSN has few users left.  This might be true in our community, and I wouldn’t doubt that almost every demographic has moved away from MSN to other chat services like SMS on phones, Facebook, Skype, Twitter or whatever.

But maybe Toronto is an internet backwater or something – for every IPS stand up or egress filter I configure, in any company I’ll still find a handful of MSN Messenger users.  While we're seeing generally low activity on the main port used by MSN (1863) , we still see spikes in traffic - https://isc.sans.edu/port.html?port=1863

Do internet services ever die naturally?  It seems to me that folks hang on to what they know like grim death, and only give up services when they’re terminated forcibly.  

As a penetration tester, these older services can be a gold mine.  To me, older services (not to pick on any one service in particular) quite often are clear-text, so if you can get a clean packet capture then you've got a very good shot at harvesting credentials.  And we know for a fact that folks will tend to re-use credentials - userid's are easy to derive, but if you can harvest passwords on one service, you've got an excellent chance at re-using them to compromise another application or service.

Again, I'm not sure if it's just me, but I also tend to see that users of these older "consumer" type applications like this for some reason seem to be clustered in the upper echelons of many companies.  In other words, some of the best targets (politically at least) are using some of the most easily compromised applications.

Password re-use, prefering old/known applications to new ones, and "user clustering" around older apps - are you seeing this same trends?  

Did xkcd get it right?  http://xkcd.com/1305/

Please, use our comment form and let us know what you're seeing, both on MSN messenger or on other "old" internet applications!

===============
Rob VandenBrink
Metafore

Keywords:
0 comment(s)

Apple iCloud Security Incident

Published: 2014-09-02
Last Updated: 2014-09-02 11:57:52 UTC
by Rob VandenBrink (Version: 1)
0 comment(s)

There's lots of interest in the recent iCloud incident, where apparently several "celebrity" accounts were compromised.

Sorry to say, it's not a rumour.  It's also something that could and should have been prevented.  It turns out that the API for the "Find My iPhone" app did not have protections against brute force attacks.

This, combined with the first couple hundred lines of a common password dictionary (often downloaded as the filename  "500 worst passwords") resulted in some targeted accounts being compromised.  And of course once an account password is successfully guessed, all iCloud data for that account is available to the attackers.  So no rocket science, no uber hacking skills.  Just one exposed attack surface, basic coding skills and some persistence.

Having gone through that password file, you really wonder how much folks using any of those passwords valued their data in the first place.

Apple quickly fixed the vulnerability, so it is no longer in play (unless your account was compromised prior to the mitigation and you haven't changed your password).  The code is on github if you are interested.

This just reinforces the common theme that - to put it mildly - trusting personal data to simple passwords is not recommended.  If you can't use complex passwords (for me, that's greater than 15 characters) or don't have a second factor, then don't use the service.

===============
Rob VandenBrink
Metafore

Keywords:
0 comment(s)
ISC StormCast for Tuesday, September 2nd 2014 http://isc.sans.edu/podcastdetail.html?id=4129

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Dodging Browser Zero Days - Changing your Org's Default Browser Centrally
published 1 day ago by Rob VandenBrink (0 comments)

1900/UDP (SSDP) Scanning and DDOS
published 2 days ago by Rick (1 comment)

False Positive or Not? Difficult to Analyze Javascript
published 4 days ago by Dr. J. (3 comments)

One More Day of Trolling in POS Memory
published 5 days ago by Rob VandenBrink (1 comment)

Point of Sale Terminal Protection - "Fortress PCI at the Mall"
published 1 week ago by Rob VandenBrink (4 comments)

Trolling Memory for Credit Cards in POS / PCI Environments
published 1 week ago by Rob VandenBrink (4 comments)

View All Diaries →

Latest Discussions

Brown Breach.. . UPS
created 6 days ago by ICI2Eye (0 replies)

So, how dead is antivirus exactly?
created 1 week ago by Safensoft (0 replies)

recommender system for network intrusion detection
created 2 weeks ago by BiSarfraz (2 replies)

Stale prefixes associated with our AS
created 3 weeks ago by cj (0 replies)

DSHIELD with fail2ban
created 1 month ago by Ernest (0 replies)

View All Forums →

Latest News

View All News →