Threat Level: green Handler on Duty: Scott Fendley

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Tip of the Day - Color and Bar Coded Daily Risk Analysis

Published: 2006-08-26
Last Updated: 2006-08-27 13:32:00 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
We all get busy, but when it comes to performing the daily risk analysis of vulnerability & exploit information that could affect your environment do not rely on the "risk/threat" color or other graphic indicator assigned by third parties to triage the amount of information you read. Whether a third pary has assigned Green, Yellow, Red or "1 out of 4" as a "risk/threat" level, the same vulnerability & exploit information is being evaluated by your attackers.
Keywords: ToD
0 comment(s)

Mailbag Detect info

Published: 2006-08-26
Last Updated: 2006-08-26 20:39:49 UTC
by Joel Esler (Version: 1)
0 comment(s)
Ed was able to send the Handlers some packets of the data he was looking at. 

The packets we received appear to be a Freebsd iso download from one of freebsd mirrors, so these particular alerts from Snort appear to be false positives.  SHELLCODE rules can generate alot of false positives, because the detect is such a simple payload.  It is more reliable to use other detection rules in conjunction with SHELLCODE rules, on order to get a full picture.  Snort.org + Sourcefire know this, and that's why the rules are disabled by default.  Finally, as with any rule in Snort, make sure to read the documentation paying particular attention to the false positive section.

As a reminder, when submitting Snort alerts, or other packets to ISC Handlers, please, we need full packet captures.  Not only alerts from Snort (such as logging in tcpdump mode), but to better assist you, we need full stream.  (Syn, Syn, Ack, Ack.. the whole conversation!)  Packets that we get that are in context (full packet capture), are 10x better then just one sided alerts.
Keywords:
0 comment(s)

Update for Intel(R) PRO/Wireless 3945ABG Network Connection Software bugs

Published: 2006-08-26
Last Updated: 2006-08-26 18:16:44 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
Release Notes for the Intel(R) PRO/Wireless 3945ABG Network Connection update have been posted at Intel.

The release notes describe a number of bug fixes including Memory Utilization Increase issues mentioned in a Diary entry by Bojan here.

The download location for Intel® PROSet/Wireless Software version 10.5.0.1 is here.

Thanks Jack!
Keywords:
0 comment(s)

Haxdoor.KI Deja Vu

Published: 2006-08-26
Last Updated: 2006-08-26 17:24:47 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
F-Secure has updated their description of Haxdoor.KI to note "The skyinet.info website (located in Russia) that the backdoor connects to, is now offering a URL that points to a file named samki.exe. This file contains a nasty payload that damages Windows beyond repair. This file can be downloaded and launched by a hacker to destroy all infected computers when time comes." . Their original blog alert info is here.
Keywords:
0 comment(s)

Reader Report from Botnet Master Christopher Maxwell's sentencing

Published: 2006-08-26
Last Updated: 2006-08-26 13:41:57 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
We had a noteworthy news submission from Russ who had just "attended Christopher Maxwell's sentencing today in Seattle and at 4:45 PST in the case of the US vs. Christopher Maxwell,  Mr. Maxwell was sentenced to three years incarceration, followed by three years probation and will pay approximately $250,000 in combined restitution to DoD and Northwest Hospital. He may ultimately pay more restitution to a school district he wreaked havoc on in his adware for dollars campaign.
Ring one up for the good guys...the US Attorney Kathryn Warma was excellent and the Judge was incredibly fair and deliberate in her judgement."

More details;
"Botnet" hacker sentenced to 3 years
Keywords:
0 comment(s)

Aug 21 Sun JAVA patch fixes problems that May Allow Applets and Applications to Run With Unpatched JRE's installed

Published: 2006-08-26
Last Updated: 2006-08-26 02:21:06 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
I didn't see much mention of this, but it's a long needed critical fix. SUN says prior to version 5.0 Update 6, an application or an applet could specify the version of the JRE on which it would run. "This issue can occur in the following releases (for Solaris, Linux and Windows platforms):

Java Plug-in included with J2SE 5.0 Update 5 and earlier, 1.4.x, 1.3.1, and 1.3.0_02 and later
Java Web Start included with J2SE 5.0 Update 5 and earlier, and 1.4.2
Java Web Start 1.2, 1.0.2, 1.0.1, and 1.0".

Advisory - Java Plug-in and Java Web Start May Allow Applets and Applications to Run With Unpatched JRE

 
Keywords:
0 comment(s)
Diary Archives